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Executive Summary 

This document describes a Concept of Operations (ConOps) for an Integrated Vehicle Health 
Assurance System. This ConOps is associated with the Maintain Vehicle Safety (MVS) between 
Major Inspections Technical Challenge in the Vehicle Systems Safety Technologies (VSST) 
Project within NASA’s Aviation Safety Program. In particular, this document seeks to describe 
an integrated system concept for vehicle health assurance that fully-integrates ground-based 
inspection and repair information with in-flight measurement data for airframe, propulsion, and 
avionics subsystems. The MVS Technical Challenge intends to maintain vehicle safety between 
major inspections by developing and demonstrating new integrated health management and 
failure prevention technologies to assure the integrity of vehicle systems between major 
inspection intervals and maintain vehicle state awareness during flight. 

In order to effectively advance and implement improved vehicle safety, as well as provide a 
vision for achieving the safety of a single vehicle, a broader understanding of how to advance 
and maintain vehicle safety as whole is necessary. That is, in order to target both near and long 
term technology development, an understanding of what is necessary to produce an Integrated 
Vehicle Health Assurance is needed. The purpose of this ConOps is to discuss a vision of how 
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such Integrated Vehicle Health Assurance can be achieved. Integrated Vehicle Health Assurance 
is broader than a conventional vehicle health monitoring system. Rather, it is a system level 
approach focused on assuring overall vehicle health from the design stage until retirement of the 
vehicle. It combines design elements, enhanced manual inspection techniques (on-ground), in- 
flight material mitigation techniques, and an advanced integrated health management system. 

This Integrated Vehicle Health Assurance Concept is derived in the context of historical factors, 
present operational standards, and a projection of future safety hazards. In order to understand 
this context, this document will: 

• Review factors influencing aviation safety, both at the vehicle and subsystem levels. This 
will rely on extensive previously completed system and safety studies in the field. 

• Review the present state-of-the-art (SO A) of Vehicle Health Assurance related to the 
vehicle, as well as the airframe, avionics, and propulsion subsystems. 

• Describe NASA contributions to the SOA of Vehicle Health Assurance, as well as 
NASA’s capabilities to advance the SOA especially in the airframe, avionics, and 
propulsion subsystems. 

• Review of other agencies assessments of technology development needed for Integrated 
Vehicle Health Assurance. 

Based on this overview, a proposed Integrated Vehicle Health Assurance System (IVHAS) is 
presented. This IVHAS encompasses the fields of Integrated Vehicle Health Management 
(IVHM), vehicle sustainment (scheduling and performing inspection, repair and overhaul 
actions), and design for safety. It is a system level approach focused on assuring overall vehicle 
health. 

The approach of this ConOps takes into account that NASA does not build vehicle systems. 
NASA’s role in the Aviation Safety Program is to provide a wide range of tools to enable those 
who do build, operate, and maintain aircraft to be able to achieve the next generation of vehicles 
with properties that enhance the nation’s and public’s safety. These tools must be practical to 
allow fleet wide implementation and potentially enable other benefits such as decreased 
emissions, increased performance, and decreased operating costs. Major impact on the available 
approaches and tools related to aviation safety within the next 5 years is a major goal, but doing 
so in such a way as to establish the foundation for paradigm shifts in aviation technology. 

A core aspect of this ConOps approach is that in order to achieve a safer vehicle and maintain 
aviation safety in the future, more intelligent vehicle systems are necessary. Local processing 
and hierarchal approaches are needed with an emphasis on producing intelligent vehicle systems. 
The fundamental concept for an IVHAS is that increased intelligence of the vehicle will enable 
improved safety. This increased intelligence is established from the bottom up with integrated 
smart sensors and materials coupled with diagnostics and prognostics operating locally, feeding 
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into smart nodes and subsystems, and finally across the vehicle. The envisioned intelligent 
system is enabled by integrated, local smart detection, diagnostics, and prognostics. 

A safer vehicle is one that is constructed with materials that avoid safety issues, evaluates its 
own health and mitigates its own problems where appropriate, and provides information to flight 
and ground personnel in a simple, actionable way. Not all problems can be addressed given the 
resources of the MVS Technical Challenge. Rather, a range of tools will be targeted based on 
safety impact, and available NASA capabilities. 

This IVHAS will concentrate on the subsystem concepts, but will also describe the framework of 
how an IVHAS spanning the whole vehicle and ground operations could be established for future 
development. This framework motivates and guides the development and testing of technology 
for MVS. Foundational technologies for the next 5 years to enable IVHAS include: 

• Innovative sensors and diagnostic tools to provide information for the incipient diagnosis 
and prevention of potential critical failures 

• High temperature engine sensor systems that directly monitor compressors and turbines 
for reliable engine health monitoring 

• Airframe and engine materials and coatings that detect damage and minimize premature 
failures from fatigue, fracture, impact, and corrosion 

In particular, the MVS Technical Challenge proposes a three-prong solution to maintaining 
safety between inspections. First, technologies will be developed to enhance existing inspection 
methods to identify damage in areas that are difficult to access. Second, advanced materials and 
coatings will be developed to prevent damage initiation and growth. Finally, automated large 
area assessment, coupled with on-board health monitoring, will identify damage or faults that 
may occur after an inspection. 

The goal of the MVS Technical Challenge is to maintain vehicle safety between these major 
inspections. The approach toward meeting this goal is through preventative methods using 
advanced materials and material coatings to prevent damage from initiating or progressing, and 
through mitigation approaches providing better inspection methods to detect damage in 
inaccessible areas, and on-board monitoring of faults and failures. By providing multiple 
opportunities to prevent or identify unsafe vehicle health states, current levels of safety can be 
maintained or exceeded even as air travel demand, vehicle complexity, and the use of new 
materials increases. 

The MVS Technical Challenge will not develop a complete Integrated Vehicle Health Assurance 
System in the next 5 years. Instead, the concentration will be on subsystem technology 
development with activities in Sensor and Diagnostic Tools, High Temperature Engine Sensor 
Systems, and Materials and Coatings. Sensor and Diagnostic Tools affect the airframe, avionics, 
and propulsion systems including work in Digital Assessment of Aircraft Structural Health, 
Propulsion System Diagnostics, and Wiring Fault Diagnostics. High temperature engine sensor 
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systems provide a range of harsh environment sensor and sensor system technologies for 
improved monitoring of the engine with, for example, High Temperature Smart Sensor systems. 
The Materials and Coatings element affects the airframe and propulsion subsystem including 
work in Integrated Sensing and Healing Systems, Bonded Joints and Repairs, and Engine 
Emerging Discs and Composite Materials Health. 

The approach provided by this ConOps is intended to help optimize technology selection and 
development, as well as allow the initial integration and demonstration of these subsystem 
technologies over the 5 year span of the VSST program, and serve as a guideline for developing 
IVHAS technologies under the Aviation Safety Program within the next 5 to 15 years. Examples 
of how such an IVHAS system can be implemented and its affects on safety will be discussed 
related to three different scenarios of in-flight hazards after a major inspection. These examples 
are intended to demonstrate a full vehicle approach spanning design, flight, and maintenance that 
is based on the concept that a smarter vehicle is a safer vehicle. A long-term vision of IVHAS 
(beyond the scope of this program) is provided to describe a basic roadmap for more intelligent 
and autonomous vehicle systems. The tools that the MVS Technical Challenge will provide and 
the technology direction set by this ConOps are intended to be a foundation and a vision for 
improved vehicle safety in the future. 
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1.0 Overview and Scope 

1.1 Purpose 

This document describes a Concept of Operations (ConOps) for an Integrated Vehicle Health 
Assurance System (IVHAS). This ConOps is associated with the Technical Challenge to 
Maintain Vehicle Safety (MVS) between Major Inspections in the Vehicle Systems Safety 
Technologies (VSST) Project within NASA’s Aviation Safety Program. In particular, this 
document seeks to define an integrated system concept for vehicle health assurance that fully 
integrates ground-based inspection and repair information with in-flight measurement data for 
airframe, propulsion, and avionics subsystems. 

1.2 Programmatic Relevance 

This Concept of Operations (ConOps) for an Integrated Vehicle Health Assurance System is 
being developed within the MVS Technical Challenge. This Technical Challenge intends to 
maintain vehicle safety between major inspections by developing and demonstrating new 
integrated health management and failure prevention technologies to assure the integrity of 
vehicle systems between major inspection intervals and to maintain vehicle state awareness 
during flight. Between the fiscal years (FY) of 2012 and 2016, this Technical Challenge will 
develop and demonstrate health management concepts for the airframe, propulsion, and avionics 
subsystems. The technology focus areas are: 

• Sensors and Diagnostic Tools: Innovative sensors and diagnostic tools for the incipient 
diagnosis and prevention of potential critical failures 

• High Temperature Engine Sensor Systems: High temperature engine sensor systems that 
directly monitor compressors and turbines for reliable engine health monitoring 

• Airframe/Engine Materials: Airframe and engine materials and coatings that detect 
damage and minimize premature failures from fatigue, fracture, impact, and corrosion 

Thus, Integrated Vehicle Health Assurance is broader than a conventional vehicle health 
monitoring system. Rather, it is a system level approach focused on assuring overall vehicle 
health. It combines design elements, enhanced manual inspection techniques (on-ground), in- 
flight material mitigation techniques, and an advanced integrated health management system. 

The MVS technical challenge will not develop a complete IVHAS in the next 5 years. Instead, the 
concentration will be on subsystem technology development. However, the design concept of 
such a complete system to assure vehicle health will serve to help optimize technology selection 
and development, as well as help enable the potential initial integration of these subsystem 
technologies as appropriate over the 5 year span of the VSST Project. Further, key research work 
towards the development of such a complete system can be considered in the next 5 years in 
MVS. 


NASA/TM— 20 13-21 7825 


1 


Additionally, the MVS activities are aimed to directly affect the other two VSST Technology 
Challenges: Improve Crew Decision-Making and Response in Complex Situations, and Assure 
Safe and Effective Aircraft Control under Hazardous Conditions. The ConOps document also 
provides a framework as to how vehicle health assurance technologies can improve crew 
decision making and assure effective aircraft control. 

1.3 Approach 

Aircraft vehicle health assurance encompasses the fields of Integrated Vehicle Health 
Management (IVHM), vehicle sustainment (scheduling and performing inspection, repair and 
overhaul actions), and design for safety. These are broad areas of investigation, the topic of a 
vast array of publications and peer-reviewed literature, and often needs to be addressed towards 
specific application environments. IVHM standardly includes the ability to monitor as well as 
provide management of the health state of the system in-flight, but typically is not integrated into 
the design phase. Often these approaches concentrate on ground systems or flight systems, but 
interaction between flight and ground systems is presently limited. Vehicle health assurance 
technologies provide a variety of benefits including improved aircraft safety and reliability, 
reduced maintenance time and cost, and reduced unscheduled maintenance actions. This 
document describes an approach toward an IVHAS. 

The IVHAS provides a framework that improves vehicle safety by, in part, combining ground 
and flight information, and this document describes the required technology developments 
relevant to meeting the MVS Technical Challenge. A broad rationale is also provided for the 
basic structure and framework of a vehicle-wide IVHAS, as well as the technology components 
necessary for such a system. The approach used to achieve this ConOps for IVHAS is: 

• Review factors influencing aviation safety, both at the vehicle and subsystem levels. This 
will rely on extensive previously completed system and safety studies. 

• Review the present state-of-the-art (SO A) of Vehicle Health Assurance related to the 
vehicle, as well as the airframe, avionics, and propulsion subsystems. 

• Describe NASA’s contributions to the SOA of Vehicle Health Assurance, as well as 
NASA’s capabilities to advance the SOA, especially in the airframe, avionics, and 
propulsion subsystems. 

• Present a proposed Vehicle Health Assurance Concept. This will concentrate on the 
subsystems, but will also describe how the framework of an IVHAS that spans the whole 
vehicle and ground operations could be established. 

• Discuss how such a system would be implemented, a long-term vision, and the possible 
benefits. 
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• Provide three relevant examples of how this Vehicle Health Assurance Concept can 
improve the safety of the vehicle in response to hazards occurring between major 
inspections. 

While this document will present an overview of the broader field of health assurance and 
management, it is not meant to provide an all-inclusive review of the entire vehicle health 
management field. In general, each of the sections are generally meant to be self-contained, 
although necessarily need to feed into the document as a whole. Furthermore, the goal is not a 
full technically detailed specification of an Integrated Vehicle Health Assurance System. The 
primary goal is to present a concept of operations intended to guide the development and 
integration of VSST funded subsystem technologies. Additional factors, such as IVHAS 
economic benefits, fleet-wide safety assurance, and military dual-use applicability are discussed 
because they are important considerations for our partners that help to ensure adaptation of the 
technology described in this report. But the primary focus of this ConOps is on maintaining 
vehicle safety in commercial aviation. 
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2.0 Introduction 

2.1 Brief Overview of Vehicle Systems Safety Technologies (VSST) Program 

Public benefits derived from continued growth in the transport of passengers and cargo are 
dependent on the improvement of the intrinsic safety attributes of current and future air vehicles. 
The Aviation Safety Program (AvSP) is addressing this challenge by conducting cutting-edge 
fundamental research that will yield innovative algorithms, tools, concepts, and technologies 
from the discipline level up to the subsystem and system level. As a part of the AvSP Program, 
the Vehicle Systems Safety Technologies (VSST) Project is primarily focused on improving 
individual vehicle safety by addressing three Technical Challenges (TC’s): 1) Improve Crew 
Decision-Making and Response in Complex Situations (CDM); 2) Maintain Vehicle Safety 
between Major Inspections (MVS); and 3) Assure Safe and Effective Aircraft Control under 
Hazardous Conditions (ASC). These three technical challenges are represented in Figure 2.1. 
The overall goal of the VSST project is to develop technologies to reduce accidents and incidents 
through enhanced vehicle design, structure, systems, and operating concepts. All three TC’s 
contribute to this goal. Each addresses an important contributor to accidents and also considers 
the emerging trends toward future causal factors with an emphasis on single vehicle safety, not 
fleet wide issues. 

CDM provides flight deck capabilities that enable pilots to make more informed decisions when 
confronted with complex situations. From a review of recent accidents, pilots are increasingly 
faced with complex, multi-faceted situations that can’t entirely be handled by referring to a 
checklist. Given the complexities of current-day operations and trends toward greater levels of 
automation and information availability, future systems should be considered that can help pilots 
assess these situations and execute an informed course of action. CDM has focused its work on 
low altitude (near airport) and surface operations because those domains often cause the highest 
workload and historically have the highest accident rates. 

ASC research seeks to assure flight safety under hazardous conditions by characterizing and 
mitigating the impacts of hazards on vehicle dynamics and control. Hazardous conditions being 
addressed by ASC include adverse onboard conditions resulting from vehicle impairment or 
inappropriate crew response, external disturbances, and abnormal flight conditions (vehicle 
upsets). ASC research will provide pilots with predictive information on impending loss of 
control, while also informing about changes to the safe maneuvering envelope of the aircraft. 
Moreover, ASC research emphasizes a synergistic pilot/automation response to aircraft control 
under hazardous conditions. This approach helps ensure that pilots and their control systems are 
working together and not making the problem worse. 
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Improve Vehicle Safety by Proactively 
MitigatingCurrentand Future Risks 




Assure Safe and Effective 
Aircraft Control under 
Hazardous Conditions 

(ASC) 


Maintain Vehicle Safety 
between Major Inspections 

(MVS) 


Figure 2.1. — An organizational schematic of the VSST Project. 


2.2 Brief Overview of Maintaining Vehicle Safety (MVS) 

MVS addresses critical risks for maintaining vehicle safety between major inspections. The goal 
of the MVS Technical Challenge is to develop and demonstrate new integrated health 
management and failure prevention technologies to assure the integrity of vehicle systems 
between major inspection intervals and maintain vehicle state awareness during flight. Currently, 
much of the information about an airplane’s health is obtained during a major inspection. These 
inspections are thorough, costly, and are done at set intervals based on fleet-wide averages for 
system and component reliability. There is a generous safety margin built into these intervals, but 
there are occasions where problems can come up during operations that were undetected at the 
last major inspection. Unique failures can happen due to the service history of individual 
vehicles. Contributing factors include the following: engineering predictions determined at the 
beginning of aircraft service that do not take into account vehicle history; inspections based on 
vehicle life assessments and fleet-wide schedules and not vehicle condition; faults and failures 
are detected utilizing external inspections which are not always effective; and information 
obtained during an inspection may not be properly acted upon in order to prevent a hazardous 
situation. Examples include of cracking in a wing rib discovered during other unscheduled 
maintenance activities [1], and continued use of a known faulty accelerometer which, when 
coupled with other system faults, caused a malfunction of the autopilot system [2], The ability to 
detect these failures after major inspections, or due to events that happen in flight, is presently 
limited. 


MVS works to provide information on potential safety-related systems problems to support in- 
flight decision making and targeted maintenance that can address those problems. It 
accomplishes this goal through integrated systems consisting of advanced sensors as well as 
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diagnostic and prognostics algorithms. It also develops capabilities to help preclude some of the 
most critical failures that can arise. 

Together, MVS with the other VSST TCs address important factors in the accident chain. 
NASA, working in collaboration with external partners, plans to deliver capabilities that address 
each of these TCs. This will build upon prior successes and make important contributions to 
aviation safety. This is illustrated in Figure 2.2, which shows the relationship between the 
various components of MVS, overall vehicle level health assessment, and the use of these 
technologies to improve crew decision-making, assure safe control, and target maintenance 
between inspections. 


Airframe 

Subsystem 


Propulsion 

Subsystem 


Avionics 

Subsystem 



Figure 2.2. — A schematic of the MVS approach and its general relationship to Vehicle Level Assessment, Ground 
Operations, Controls, and Crew Decision-Making 


The MVS technologies are not intended to directly provide information to the crew or affect 
the control system. However, they do provide information to the Technical Challenge 
Problems that are associated with Improving Crew Decision-Making and Response in 
Complex Situations, and Assuring Safe and Effective Aircraft Control under Hazardous 
Conditions. These Technical Challenges are involved in determining the proper information 
to provide to the crew, and how to maintain aircraft control in unforeseen conditions. It is 
through such interfaces that decisions are made with respect to how to handle the information 
provided from MVS, and thus what information is to be provided to the crew, or potential 
actions by the flight control system if any. MVS will also provide information for later 
analysis and use by, for example, the ground maintenance crew. 
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3.0 Factors Influencing Aviation Safety 

3.1 Vehicle Level Safety Factors 

There are a range of factors that influence aviation safety. In effect, safe flight of the vehicle is 
achieved through the confluence of interacting factors including the crew, the vehicle, 
environmental factors, and the supporting aviation infrastructure. The Civil Aviation Authority 
(CAA) [3] identified 283 worldwide fatal accidents during the 10-year period from 1997 through 
2006, resulting in a total of 8,599 fatalities to passengers and crew members. Of these 283 
accidents, 254 of them had identifiable primary and contributing causal factors. The most likely 
causal factor group is the “Flight Crew.” 

The second most likely contributor to fatal accidents is in the “Aircraft Related” category, with 
42% of all fatal accidents involving at least one aircraft-related causal factor as shown in 
Figure 3.1. (Note that each accident can have more than one factor and that these are not 
mutually exclusive.) Within the “Aircraft Related” category, the most common causal factor 
group is “Engine,” with 17% of all fatal accidents citing “Engine failure or malfunction” as a 
causal factor. The next most likely aircraft-related causal factor groups are “Aircraft 
Performance/Control” and “Aircraft Systems.” The remaining two aircraft-related causal groups, 
“Aircraft Structure” and “Aircraft Design,” are of significant importance to airframe research. 
Causal factors in these groups are “Corrosion or fatigue,” “Overload failure,” “Design 
shortcomings,” and “Manufacturing defects.” 


Accident Causal Factors (Worldwide, 1997 to 2006) 
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Other 

ATC/Ground Aids 
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Maintenance/Ground Handling 
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Figure 3.1 . — Most likely causal factor groups for all fatal accidents from 1997 to 
2006 [3]. (Note: causal factors included in “Aircraft Related” category shown 
in blue.) 
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Although fatal accidents are discussed above, aviation safety is also influenced by more frequent 
safety incidents and accidents that affect the safety of the passengers and crew, but do not 
necessarily lead to a fatality. For example, an incident could include an in-flight engine 
shutdown, but not result in a fatal accident. These incidents affect aviation safety, and could 
under some conditions, when combined with other factors, lead to more serious accidents or 
fatalities. A statistical analysis of 1997-2006 NTSB (National Transportation Safety Board) 
accident and Federal Aviation Administration (FAA) incident data identified the top “tall poles” 
based on four types of Federal Aviation Regulations (FAR) operations (Part 121, Part 135- 
Scheduled, Part 135-Non-Scheduled and Part 91) and categorized using the CAST/ICAO 
(Commercial Aircraft Safety Team/Intemational Civil Aviation Organization) Common 
Taxonomy [4], In common to the FAR operations and identified as among the top “tall poles” 
were “System Component Failure — Powerplant”, “System Component Failure — Non 
Powerplant”, and “Loss of Control — In Flight” as major factors in accidents. The “System 
Component Failure — Powerplant” (SCF Powerplant) refers to component failures related to the 
engine while “System Component Failure — Non Powerplant” (SCF Non Powerplant) refers to 
component failures of other aircraft components. Overall, there are far more incidents and 
accidents than fatal accidents, but the general pattern of the incidents and accidents also support 
the importance of airframe, propulsion, and avionics systems in maintaining aviation safety. 
Each of these subsystems have different types of component failure mechanisms. However, there 
is often interdependence between the operation and safety of the different subsystems that affect 
each other and the overall safety of the vehicle. 

Next generation vehicles are likely to have increased usage of advanced, lightweight materials and 
structures, which will potentially introduce new safety challenges. As an example, the use of 
composite materials for fuselage structures on next-generation vehicles has increased significantly 
over the past 40 years. The Boeing 787 and Airbus A350 XWB (extra wide body) have a 50% 
composite structure by weight, compared to the current generation Boeing 777 that has 10% 
composite materials. The fuselage structure of the Boeing 787 is made mostly of composite 
materials, even though these materials exhibit complex failure modes that require new inspection 
and repair methods to ensure comparable safety to traditional metallic airframe materials. 

The aircraft safety statistics to date give an indication of past safety issues. These areas will 
continue to be a challenge. However, in the future, new safety problems may come into play for 
three major reasons: 1) Increasing air traffic means that if the safety rate remains the same, the 
number of accidents will increase, while at the same time the existing fleets will continue to age 
generating new potential safety hazards. 2) It is desired that new materials and capabilities be 
incorporated in future aircraft to improve fuel efficiency and reduce noise and emissions while 
safety is maintained at existing levels. 3) Operation of the vehicle system beyond standard design 
limits or expected lifetimes. System-level effects of the integration of new flight technologies are 
unclear and subsystem dependent. Overall, in order to understand the ability to provide health 
assurance across the vehicle, the ability to understand safety issues in each subsystem is necessary. 
The next sections review safety issues for the subsystems airframe, avionics and propulsion. 
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Currently, vehicle health assurance in commercial aircraft is limited in scope (health monitoring 
and health management is still evolving), level of maturity (schedule-based or reactive 
maintenance is commonplace, while autonomous healing is in its infancy), and integration (most 
health assessment approaches target individual components rather than assessing health at the 
subsystem or vehicle level). Significant amounts of information regarding necessary repairs and 
the susceptibility of current design methods to damage and degradation only become available 
after tear-down for ground inspection. Additionally, design tools for advanced materials and next 
generation aircraft are still emerging technologies. 

3.2 Airframe Safety Factors 

A 2011 Aeronautics Research Mission Directorate (ARMD) funded study by the RAND 
Corporation “Advancing Aeronautics: A Decision Framework for Selecting Research Agendas” 
stated the following as an illustrative Aeronautics Grand Challenge in safety: “Maintain passenger 
safety levels as the industry moves from aluminum to composite airplanes” [5], The rapidly 
expanding use of composites in primary aircraft structures may present new safety challenges to 
maintain the present safety levels due to complexity of the material systems and failure modes, 
potential variability in strength properties, and lack of experience in composites in commercial 
operations, inspection and repair. This is coupled with maintaining the safety of conventional 
metal-based airframe systems as notable airframe safety challenges. This section describes factors 
influencing the safety of the airframe both historically and taking into account emerging factors. 

3.2.1 Airframe Historical Data 

The airframe structure spans the vast majority of the vehicle and has historically been composed 
of metallic skin and stiffener structures. Tiffany et al. [6] documents historical threats to aircraft 
structure and strategies that have been established, in some cases after years of operational 
experience and accidents, to mitigate these threats. A range of serious threats to structural safety 
were identified and are summarized in Table 3.1. Each of these threats can then produce its own 
typical failure mechanism with fatigue and abrupt cracking being the most prominent. Figure 3.2 
gives a United States Air Force (USAF) example for 37 non-combat aircraft losses attributed to 
structural failure [6,7]. The majority of these losses are attributed to fatigue, debonding of the 
structure, maintenance, or a combination of these issues. 

Fatigue failures are challenging to predict primarily due to the large number of variables that can 
affect the times to develop critical crack sizes in the operational environment. Unanticipated 
conditions (e.g., debonding from a stiffener) can lead to excessive local loads and stresses 
beyond the standard design limits. Additionally, as the lives of aircraft are extended, complex 
corrosion fatigue issues are more likely to occur. Such conditions can lead to structural 
degradation and potential safety hazards. Abrupt cracking failures, caused by penetration due to 
impacts, ballistic damage or explosions, are threats that are largely addressed by developing 
structural redundancies and fail-safe concepts into the airframe. While most structural engineers 
believe that the problems associated with high operational loads have been solved, 
accidents/incidents continue to be observed as a result of unusually high operational loads caused 
by pilot error or faulty flight control systems. Accidents have in the past been averted by a 1.5 
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factor of safety used to establish ultimate design loads. However, unanticipated conditions can 
result in excessive loads and operation beyond standard limits. Such conditions can lead to 
structural degradation and potential safety hazards. 


TABLE 3.1.— A LISTING OF STRUCTURAL THREATS 
AND THEIR ASSOCIATED MECHANISMS OF FAILURE [61. 


Threat 

Mechanism of Failure 

High Local Stresses 

Fatigue 

Manufacturing/Material Defects 

Fatigue 

Maintenance Damage/Deficiencies 

Fatigue 

Environmental Damage 

Corrosion (material loss) 

Impact from Ground Equipment 

Fatigue 

Impact due to Uncontained Engine Failures 

Abrupt Cracking 

Impact due to Bird Strikes 

Abrupt Cracking 

Impact due to Runway Debris 

Abrupt Cracking 

Explosive/Ballistic Penetrations 

Abrupt Cracking 

High Operational Loads 

Overload 

Widespread Fatigue Damage 

Fatigue 


Undetermined 

Subsystems 3% 

5% 

Pilot Error, 

Flight System 
Control Error 
19% 


Maintenance 
24% 

5% 

Figure 3.2. — Percentages associated with types of causes 
associated with 37 United States Air Force Structural 
Failures [6,7], 

In general terms, structural components are found to be adequately robust, over their service life, 
by a series of structural design requirements that must be satisfied at specified load levels. 
Consequently, it is critical to know the loads that are applied to the structure. The design process 
begins with identification of the structural loading spectrum that the assembly, part, or surface 
will be expected to experience while in service. This includes the identification of the most 
severe, but nonetheless, expected loading conditions. Often, accidents involve the realization that 
either the actual loading conditions are more severe than expected, or the capability of the 
component, structure, or system is less than expected due to some unanticipated condition being 
present [8]. These unanticipated conditions have regularly occurred in metallic aircraft, as 
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evidenced by the recent discovery of cracking in a wing rib on several Airbus A3 80 aircraft due 
to design and manufacturing defects [1], This fleet- wide problem was discovered during 
unscheduled maintenance for an unrelated engine failure. The fact that these conditions continue 
to occur in metallic aircraft suggests the potential for an increased likelihood of unanticipated 
failures with the increased introduction of large integral metallic structures, such as the wing ribs 
for the A3 80 aircraft, and complex composite material systems for aircraft primary structure. 

3.2.2 Airframe Emerging Factors 

The Rand Corporation was tasked to independently assess NASA’s ARMD portfolio as well as 
the current and future needs of the aviation community [5], Highlighted in this report is the trend 
of using new engineering materials to reduce aircraft weight and subsequently improve 
efficiency. While the use of new materials can be beneficial, new challenges are introduced. 
Particularly, the increased use of composites for primary aircraft structure "...may have 
inherently different safety implications that will drive how we treat aging aircraft giving us the 
opportunity to weigh the benefits of composite structures against their weaknesses." [5], Here, 
the challenge of maintaining current safety standards for commercial aircraft utilizing new 
materials and systems is emphasized. Similar concerns have been identified in a study from 
Boeing, where it is noted that safety is improved by minimizing uncertainties and risk, yet the 
introduction of new structural materials inherently increases uncertainty [9], 


Traditional metallic-based aircraft structures have a long history, but unanticipated conditions 
and extended operation can lead to structural degradation and potential safety hazards. The 
introduction of composite materials is a significant paradigm shift in the design of aircraft 
structures. Material characterization and measurement technologies must advance in parallel 
in order to assure the future safety of these airframe structures. 


3.3 Avionics Safety Factors 
3.3.1 Avionics Historical Data 

The field of aviation electronics, or avionics, is incredibly broad and generally includes all 
sensors, communication and navigation equipment, along with the vast array other electrical 
systems needed to fulfill the various roles required by modem aircraft. While there are an equally 
great number of safety concerns regarding many of these individual systems, this document 
focuses on the safety critical subsystems relevant to maintaining safety between major 
inspections', and in particular where single point failures can lead to multiple system faults and/or 
directly lead to loss of communication, power, or control of the aircraft. 

With these considerations in mind, our focus is on one critical, but sometimes overlooked, 
avionics subsystem with a substantial historical record relevant to both current and future 
aircraft: wiring. 
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3.3.1. 1 Electrical Wiring and Interconnect System 

The electrical wiring and interconnect system is a common point of failure for nearly all avionics 
equipment, and it received a great deal of attention in the late 1990s due to two tragic accidents: 
the July 1996 mid-air explosion of the Boeing 747 TWA Flight 800 and the crash of a Swissair 
MD-11 in Nova Scotia. The National Transportation Safety Board (NTSB) later determined the 
cause of the TWA 800 accident to have been a wiring failure that led to an ignition spark in the 
fuel tank [10]. It is believed electrical arcing originating from an in-flight entertainment cable 
caused the Swissair disaster [11]. These two tragic accidents generated nearly a decade of study 
to uncover the underlying issues that caused them, the results of which are briefly summarized 
below (with full details deferred to the references). 

Although the TWA 800 and the Swissair tragedies are cited as the impetus to research and 
development efforts in addressing wiring in aircraft, there have been a considerable number of 
incidents that have not resulted in crashes but have been attributed to electrical wiring failures. 
Avionics Today [12] reported that during the cruise phase of a flight, a “smoke” event is more 
than twice as likely as an engine problem to cause an unscheduled landing, according to a study 
of service difficulty reports. In-flight electrical fires are also not rare events: According to 
Captain Jim Shaw, manager of the in-flight fire project for the United States Air Line Pilots 
Association (ALP A), there are on average three fire and smoke events in jet transport aircraft 
each day in USA and Canada alone, and the vast majority are electrical [13]. 

The Coast Guard, NAVAIR, NASA and the FAA all have programs (including joint programs) 
to assess the most prominent failures in electrical wiring. Although each agency has different 
aircraft, different maintenance practices, different data collection methods, and different 
operating environments, all of these agencies experience very similar wiring issues. A more 
extensive summary of these studies is presented in [14]. To take a particular example, Figure 3.3 
shows the wiring issues identified after deconstructing six commercial aircraft (DC-8, DC-9, 
DC- 10, 727, 737, 747), in a study conducted by the FAA [15]. More than half of all of the wiring 
faults found were related to a breach in the insulation, or chafing. Another 14% of these were cut 
or broken wires that may have arisen from chafing. Furthermore, in 2005 the FAA summarized 
[16] the 7 most common problems: burned, loose, damaged, shorted, failed, chafed, and broken 
wires account for 84% of all wiring failures. The above highlighted study overwhelmingly points 
to chafing as the common precursor to a large majority of severe wiring issues (opens, shorts, 
and arcing which lead to smoke and fire events). In addition to chafing, other studies have shown 
connector related faults are also frequently cited as a primary area of concern [14]. Ultimately, 
the studies summarized here led to the FAA issuing new rules in 2007 on wiring maintenance 
and inspection. 
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Figure 3.3. — FAA findings from examining 6 aircraft: DC- 
8, DC-9, DC-10, 727, 737, and a 747 [14]. 


Even with these new rules now in place, one still finds evidence of wiring system difficulties. A 
large source of current and publically available information lies in the Service Difficulty 
Reporting database [17] maintained by the FAA. In particular, a search for fault code 2497 
(power system wiring) reveals 94 recorded incidents in 2011 alone, many of which, but not all, 
are in commercial aircraft. A search for fault code 2797 (flight control system wiring) reveals 45 
records for the same year, including at least one chafing incident in a Boeing 737 that led to an 
emergency landing [Unique Control #CA1 10125022], Thus, while there have been no major 
wiring related fatalities in part 121 operations (commercial aircraft) in the United States since the 
TWA and Swissair accidents at the end of the 20th century - and the FAA rules have been 
extremely effective - electrical system incidents do still occur on a routine basis. In addition, the 
Department of Defense has a variety of ongoing work related to improving wiring system design 
and developing new detection technologies [18]. However, the electronic detection of chafing 
and connector faults in practice, before consequences become noticeable, remains a significant 
problem still in need of enabling research. 


The Electrical Wiring and Interconnect System (EWIS) in any vehicle is a critical, and 
sometimes overlooked, avionics subsystem where relatively minor issues can grow and 
eventually lead to serious safety problems like smoke, fire, and loss of critical system 
functionality. 


3.3.2 Avionics Emerging Factors 

As aircraft become more electric, a range of avionic components and subsystems may generate 
new safety hazards, three of which are summarized below. Predominately, each of these have 
depended on the integrity of the wiring system for proper operation. 


NASA/TM— 20 13-21 7825 


13 


3.3.2.1 ElectroMechanical Actuators 

Although ElectroHydraulic Actuators (EHAs) and ElectroMechanical Actuators (EMAs) are 
relative newcomers to the aviation industry, they are finding increasing use over purely 
mechanical hydraulic systems on aircraft, mostly because they compactly offer higher overall 
system performance and weight savings [19]. Furthermore, given that EHA’s and EMA’s have 
responsibility over manipulating the aircraft’s control surfaces, failures of these systems have 
rather obvious safety consequences, and accidents have already occurred. One unfortunate case 
was Alaska Airlines MD-80 flight 261, where a horizontal stabilizer actuator failed due to 
insufficient lubrication and excessive wear of its jackscrew [20]. The aircraft crashed, killing all 
aboard. 

3.3.2.2 Batteries 

Depending on type, most modem aircraft employ batteries to start engines and auxiliary power 
units, to provide emergency back-up power for navigation units and fly-by-wire computers, 
and/or to provide ground power capability for maintenance and preflight checkouts. Newer 
“maintenance free” sealed-cell aircraft batteries are typically left on the aircraft for their fixed 
service lifespan of 2 to 5 years, with no scheduled maintenance during this period [21]. Thus, 
monitoring battery health for safety critical systems is necessary to detect incipient failure 
mechanisms and to actively ensure their availability when needed - especially for backup 
systems. In addition, unmanned aerial vehicles (UAVs) rely on battery power for flight control 
actuation when the main power source fails. Thus, reliable battery health management will be 
essential for safe operation of UAVs in the national airspace. 

3.3.2.3 Avionics for Flight Automation 

Flight critical avionics subsystems such as global positioning (GPS) and inertial 
measurement/reference units (IMU/IRU) are playing ever-increasing roles in many aspects of 
aircraft flight [22], The common electrical failure mechanisms for these systems are capacitor 
and MOSFET (metal oxide semiconductor field effect transistor) degradation that can lead to 
glitches in the GPS position and velocity measurements. Other issues are loss of receiver lock on 
the GPS satellites along with IMU accelerometer and gyro biases [22], Clearly, the 
measurements provided by these systems are critical to the proper operation of flight automation 
and management systems. Failures in these systems lead to unsafe and unintended automation 
commands and crew confusion. One example upset event, involving a Boeing 777-200 operating 
240 km northwest of Perth Australia in 2005, occurred when a failed accelerometer component 
of an IRU and latent software errors ultimately caused the primary flight display to 
simultaneously indicate both a stall and over-speed condition. The aircraft pitched up into a 
climb while the indicated airspeed decreased from 270 to 158 knot. The stall warning and stick 
shaker devices activated. Fortunately, the aircraft was safely returned to the ground [2], 

3.4 Propulsion Safety Factors 

Aircraft engines are complex systems consisting of static and rotating components, along with 
associated subsystems, controls and avionics. They are required to provide reliable power 
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generation over thousands of flight cycles while being subjected to a broad range of operating 
loads and conditions, including harsh high temperature environments. Reliable operation of these 
engines is critical for aircraft safety. Over repeated flight cycles, the life of many engine parts 
may be degraded, and engine malfunctions may occur. Other events related to the environment 
such as bird strikes, volcanic ash, or icing may affect and degrade engine operation. Engine 
maintenance is primarily performed on a schedule, rather than based on the condition of the 
engine. However, ground-based inspections or standard maintenance operations cannot identify 
all the problems that can potentially occur in-flight. Overall, ensuring propulsion safety requires 
a multi-faceted approach, which includes design, certification, airworthiness directives, pilot 
training and awareness, inspection, maintenance, overhauls, condition monitoring, etc. The role 
of the propulsion system in aviation safety can be examined by reviewing historical aviation 
safety data and considering anticipated future safety challenges. 

3.4.1 Propulsion Historical Data 

Past technology advances made by the aviation community have resulted in aircraft propulsion 
systems with excellent safety and reliability records. However, Propulsion System Malfunction 
(PSM) still contributes to a number of aviation safety accidents and incidents. A review of global 
fatal aviation accident casual factors, including PSM casual factors, has been reported by the 
Civilian Aviation Authority [3], Figure 3.4 breaks down the causal factors for fatal accidents 
further into primary and contributing factors. This figure illustrates that while the engine is less 
frequently the primary causal factor in fatal accidents, it often plays a significant role as a 
contributing factor. 
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Figure 3.4. — Breakdown of all fatal accidents by causal group (showing all causal 
factors (red) and primary causal factors (blue)). Propulsion system malfunction 
as significant contributing factor to events in aviation safety [3], 
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Engine primary causal factor events are often due to uncontained rotor failures resulting in the 
uncontained release of high kinetic energy debris [23]. These can cause catastrophic damage to 
the aircraft structure and systems, negatively impacting the controllability of the vehicle, and/or 
resulting in serious injury or fatalities to the vehicle occupants. Additionally, environmental 
causal factors such as icing, volcanic ash ingestion, or bird ingestion can cause single-engine or 
multi-engine power loss events. 

Engine contributing factor events are cases where propulsion system malfunctions are one of a 
combination of causal factors leading to the accident. For example, an aviation accident or 
incident may occur when a single benign propulsion system malfunction, not normally 
considered a significant safety concern, occurs coupled with the pilots’ inappropriate or lack of 
response to the malfunction. Likewise, a single propulsion system malfunction may cause other 
events or malfunctions to which pilots’ could respond inappropriately. Such a series of events, 
termed Propulsion System Malfunction Plus Inappropriate Crew Response (PSM+ICR), is 
frequently a contributor to aircraft accident and incidents, including loss of control (LOC) 
accidents. For example, “A consistent contributing factor in PSM+ICR events is the lack of crew 
awareness of the existence, location, or type of the PSM, i. e. , there is no clear, explicit indication 
or annunciation of the engine malfunction or the affected engine(s). In many cases, even when 
the crew is aware a malfunction exists, they are unaware that it is propulsion system related..” 
[24]. 

The causes of PSM can be wide ranged. The propulsion system is composed of numerous 
moving and static parts and functionalities operational over a wide range of conditions. The high 
pressure compressor (HPC) or turbine (HPT) may operate at high temperatures with a high-speed 
rotation, while the lubricated components such as bearings or bearing seals operate in more 
benign environments but under high stress and they must maintain their integrity for proper 
engine operation. Malfunction or failure of these components can cause in-flight engine damage, 
in-flight engine shutdown (IFSD), or even unscheduled engine removal (UER). In general, 
monitoring across the whole engine is a notable challenge covering a range of operational 
conditions, and would be needed to fully monitor the wide range of potential failures. However, 
there are areas of the engine and its operation that stand out. 

Figure 3.5 examines the contribution of various propulsion system components/subsystems to 
engine damage and ICR [25]. Notable contributors are gas path and lubricated components. To 
summarize, “ These results suggest that improved damage detection for gas path and lubricated 
components would also address the majority of the indeterminate cause events .” One 
complicating factor in achieving improved damage detection is the contribution of sensor failure 
leading to in-flight shutdowns even in existing engine monitoring systems. Similar results are 
seen in military aircraft where turbines, bearings, and compressors are components with the 
greatest component costs associated with mishaps in class A and B engines [26]. 
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Figure 3.5. — The relative contributing factors of various 
propulsion system related components and subsystems to 
Engine damage during inappropriate crew response (ICR) 
events [25]. 


To summarize, the propulsion system is composed of numerous rotating and static parts and 
accessories operational over a wide range of conditions including harsh high temperature and 
high stress environments. The cause of PSM can vary across the range of these propulsion 
system component parts. Catastrophic engine failure events are rare, and when they do occur are 
often due to uncontained rotor failures. Gas path components, as well as the lubrication 
system/lubricated components, stand out as strong contributors to IFSD and engine malfunctions. 
Sensor reliability is a major issue for in-flight shut-downs. 

3.4.2 Propulsion Emerging Factors 

Propulsion systems have undergone significant changes recently in order to realize improved 
efficiency. Two of the new technology developments that directly involve the use of new 
material systems are 1) composite engine containment systems and 2) higher temperature alloys 
for turbine blade fabrication. Each of these material changes were made with improved 
efficiency in mind to reduce the weight of the propulsion system and to increase the operational 
temperature of engines. As with the introduction of composite materials for primary airframe 
structures, more pervasive use of composites across the vehicle, including potentially closer to 
the hot sections “. . .may have inherently different safety implications that will drive how we treat 
aging aircraft... [5]”. The use of these materials requires knowledge of how they perform in 
service and what effect the new operating (i.e., higher operating temperature) conditions will 
have on the long-term behavior of these materials. Further, the move to more electric propulsion 
systems or Distributed Engine Control may suggest the use of electronics and control systems in 
environments beyond that of traditional technologies [27-28], 
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Aircraft propulsion systems are complex and subjected to a broad range of operating 
environments. Reliable propulsion system operation is core to maintaining overall vehicle 
safety. Propulsion system malfunctions can contribute to inappropriate crew response or loss 
of control related aviation accidents. 


3.5 Brief Summary of Factors Influencing Aviation Safety 
3.5.1 Vehicle System Summary 

• Highly reliable aircraft systems and components do experience failures and malfunctions 
that contribute to aviation accidents and incidents. 

• The combination of system and component failures combined with inappropriate crew 
responses and loss of control are notable contributors to accidents and incidents. Providing 
the crew with reliable, accurate information as appropriate can improve crew response in 
hazardous conditions. 

• New materials and technologies will be incorporated into aircraft designs for a range of 
reasons. However, with the introduction of these new technologies, existing safety levels 
must be maintained or improved upon. 

• Because there are multiple accident and incident causes across a vehicle that can be 
interdependent, safety system challenges and solutions vary between the subsystems, but 
must combine in a whole vehicle. 

• Vehicle health assurance technologies will have to evolve to keep pace with the system- 
level effects of increasing number of flights, the integration of new technologies, and an 
operation beyond standard design limits or lifetimes. 

• Maintaining vehicle safety does not begin when a vehicle enters into service, but is a life- 
cycle process starting from the design phase and extending throughout the lifetime of the 
vehicle. 

• The capabilities for next generation design tools, vehicle inspection, and on-board health 
state awareness that are now applied in standard operation is limited. 
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3.5.2 Airframe Summary 


• The airframe composes the majority of the aircraft structure. The existing fleet is 
predominately metallic based with a significant amount of previous history. 

• However, this fleet is aging and long-term operation without a complete history of the 
stress loads that the structure has been exposed to may lead to unexpected structure 
failures. 

• Unanticipated conditions and use of the vehicle in ways not intended in the design phase 
can occur that lead to excessive stress loads and operation beyond standard limits. Such 
conditions can lead to structural degradation and potential safety hazards. 

• The use of composites in primary aircraft structures is a paradigm shift in aircraft 
structures. The properties of composites are not as well understood as in the 
corresponding metal systems. 

• The introduction of composite airframe structures presents elevated safety risks due to 
complexity of the material systems and failure modes, potential variability in strength 
properties, and lack of experience in composites in commercial operations, inspection and 
repair. 


3.5.3 Avionics Summary 

• The electrical wiring and interconnect system is a core avionics component affecting 
nearly all avionics equipment. It is also a common point of failure that can bring down 
critical systems, and cause failures in multiple subsystems, through opens, shorts, arcing, 
and electrical fires. 

• Wire chafing is a dominant precursor failure mechanism, which when detected early can 
enable preventative maintenance long before safety becomes an issue. 

• Future aircraft systems will require more wiring to support additional functionality. Some 
of the wiring will be high-power, which introduces new fault possibilities. 

• Future flight critical avionics systems are emerging, including electromechanical and 
electrohydraulic actuators, batteries (especially as the industry moves closer to the all- 
electric aircraft), and newer information systems, such as GPS, to support automated 
flight-management. 

• Failures in these systems can have dire consequences but the health management 
capability to help prevent accidents resulting from the increasing complexity is limited. 
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3.5.4 Propulsion Summary 

• The propulsion system is complex with multiple operational regimes. Rotating and high 
temperature components, and the lubrication system and lubricated components, are 
specific propulsion subsystems that can yield propulsion system malfunctions. 

• Environmental effects, such as icing and bird ingestion, can lead to single-engine or multi- 
engine power loss. 

• Propulsion system degradation and damage that develops over time in hot section 
components can lead to in-flight shutdowns. Events such as uncontained rotor failures can 
lead to catastrophic failure. 

• Sensor reliability is a notable challenge in part given the operational environments. 

• Propulsion system malfunction plus inappropriate crew response is a significant aviation 
safety concern. 

• Emerging factors such as the use of composite engine materials and the operation of 
engines at higher temperatures can have notable impact on engine safety. 

• Improved detection and diagnosis of incipient engine faults in the early stages can help 
mitigate the safety impact of component failures that do occur. 
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4.0 Present State-of-the-Art of Vehicle Health Assurance 

Section 3.0 described the factors influencing aviation safety as a combination of both vehicle and 
subsystem challenges. In particular, there is an interrelation between subsystem and vehicle 
health, as well as between subsystems. In order to understand how aviation safety can be 
improved, this section gives an overview of the present state of the art in vehicle health 
assurance both on the vehicle and subsystem level. This overview is not exhaustive, but is meant 
to provide an understanding of the framework and approaches to present vehicle health assurance 
and provide a foundation for possible future advancements. 

4.1 Vehicle State-of-the-Art 

The present state-of-the-art (SOA) in overall Vehicle Health Assurance is summarized in Figure 
4.1. It can be considered an approach that has been notably “stove-piped” into three separate 
components during the evolution of flight systems and complementary technologies. These 
components of the present Vehicle Health Assurance approach include: 

1) Design and testing; 

2) On- Vehicle Monitoring; and 

3) Ground based maintenance. 

These components of present vehicle health assurance are evolving over time, but a snapshot of 
the approach for each section of the block diagram in Figure 4. 1 is described very briefly below. 

4.1.1 Design and Testing 

The design of aircraft systems has a long and successful history. This design process includes the 
use of known materials with well-understood properties, extensive modeling and life prediction, 
and following the certification procedures set forth by the Federal Aviation Administration 
(FAA). However, aircraft are being extended past their design life and as noted by Tiffany et al. 
[4] " as aircraft structures are used beyond their initial intended design life goals, new 
unidentified cracking sites and cracking behaviors are again leading to new catastrophic 
structural failures”. While safety of the vehicle is strongly considered in the design stage, this is 
predominately done historically by adjusting design margins. Design margins are purposely 
targeted with the understanding that during operation limited information on a number of vehicle 
state parameters will be available. Thus, vehicle systems can be, effectively, “overdesigned” to 
allow for a built-in safety margin. Although there are number of sensors built into the aircraft 
and used for control and operations, the addition of a comprehensive Vehicle Health 
Management system is typically not part of the design process. Rather, implementation of 
Vehicle Health Management is carried out after the design phase using the existing sensor and 
avionics infrastructure. In general, Vehicle Heath Management is integrated into the vehicle as 
an add-on rather than a core design consideration. 
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Figure 4.1 . — A simple overview of the present state-of-the-art (SOA) in Vehicle Health Assurance. 


4.1.2 On-Vehicle Monitoring 

The vehicle operational sensors do provide a notable amount of information related to the vehicle 
operation. In contrast, the number of sensors and on-board diagnostics implemented solely for 
health management purposes is presently limited. A significant amount of operational 
information has been available, but the amount of information that is relevant to health 
management varies among the multiple subsystems (see the discussion in Sections 4.2 to 4.4). 
There has traditionally been a limited amount of information that is fed in real-time to the ground 
operations. Recently, more advanced on-vehicle health monitoring systems have begun to 
expand what is available for health assurance purposes. Such capabilities include the ability to 
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have a selected number of in-flight faults, customer-specified alerts, and simple text information 
(Aircraft Communications Addressing and Reporting System or ACARS) communicated to the 
ground [29,30], The amount of data transmitted is limited, if for no other reason than the huge 
amount of data available, and challenges in transmitting such large amounts of data in-flight. 
Upon arrival, further information can be provided to ground maintenance. Examples include the 
data associated with tire pressure, oxygen pressure, hydraulic fluid, and engine oil levels. Again, 
a notable challenge is proper infrastructure for the handling of the large amount of data available 
in an effort to improve the safety, as well as the efficiency, emissions profde, and performance of 
the aircraft. 

4.1.3 Ground-Based Maintenance 

Vehicle inspections are initiated if an on-board alert or potential issue has been identified, or as 
part of a standard maintenance schedule. Inspections are performed either visually or using non- 
destructive evaluation (NDE) techniques. The information provided by these inspections is 
compared to fleet wide averages and used to identify potential issues in the health of component 
parts. If an issue is identified, the ground crew can repair or replace the affected component, or 
plan to simply monitor the situation. The fundamental aspect of ground maintenance is that it is 
typically performed to a schedule, or if an inspection is warranted by a trend or alert. This 
schedule is set forth by the manufacturers and the regulatory agencies to maintain the continued 
airworthiness of the vehicle. This maintenance may include operations or replacement of parts 
not mandatory given the state of the individual vehicle, but dictated by the maintenance schedule 
for vehicles of this type. It is not performed as needed based on individual vehicle life history 
(condition-based maintenance). 


A fundamental aspect of this present approach is its centralized nature. This centralized nature 
is limited in its ability to ascertain the specific health state of the vehicle. Large amounts of 
data are stored in centralized locations with limited pre-diagnostic processing. The on-board 
information transmitted in-flight to the ground is prioritized and constrained by processing 
and bandwidth restrictions. The sensor data tend to be based on sensors initially intended for 
vehicle operation, and are not targeted directly towards health monitoring or emphasize on- 
board diagnostics or prognostics processing. Maintenance is predominately on-schedule based 
on past fleet history, not the vehicle’s condition. 


These trends are reflected on the subsystem level. A challenge is to ensure that disparate 
subsystems report associated faults according to a standard protocol that allows for proper 
processing and system-level health determination. The methods used for subsystem health 
determination vary depending on the type of measurements available to extract fault signatures. 
Typically, instrumentation suites are limited due to weight and processing constraints and 
provide only high-level fault indications. A discussion of the SOA for airframe, avionics, and 
propulsion is presented below. 
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4.2 State-of-the-Art in Airframe Health Assessment 

Today, aircraft structural health is generally managed through a series of inspections. Regular 
visual inspection is performed prior to each flight by the aircraft crew. More detailed scheduled 
inspections occur at specified intervals based on aircraft certification requirements and fleet 
history. Additionally, unscheduled detailed inspections can be triggered by a known event such 
as a bird or lightning strike or as the result of crew findings. Visual inspection of components for 
damage of the structure is the primary nondestructive inspection (NDI) method used. Regulatory 
bodies have issued formal descriptions for both visual examinations and for all NDI. Visual 
inspections are much more common and comprise the majority of all aircraft inspections 
(approximately 80% [31]). It consists of using the inspector's eyes, often aided by magnifying 
lenses and supplementary lighting, as the detection device. Inspectors must visually scan the 
whole structure of interest, typically using portable mirrors to examine areas not directly visible. 
Once damage is observed, a sequence of discrete steps is initiated including: quantification of the 
damage by advanced nondestructive evaluation (NDE), engineering analysis of the significance 
of the damage to the structure (typically based on damage size and location allowables 
determined by initial testing and analysis during aircraft design and certification), and disposition 
of damage as either requiring repair or “safe-to-fly.” 

While this reliance on visual inspection works well for relatively large-scale damage, each of 
these steps has a level of inherent risk, including risk introduced by human factors that 
cumulatively could reduce the margins of safety associated with the structure. In addition, 
subsurface or small-scale surface damage may be dismissed or go undetected. For composite 
structures, the current design practice is to set the inspection threshold at barely visible impact 
damage (BVID), any damage smaller than BVID is not considered to affect the safety of the 
structure. Today, for all material types, both the allowable damage limits and critical damage 
size are determined primarily through extensive coupon, subcomponent and component level 
testing [32], In practice, multi-site damage may be sufficiently close as to interact with each 
other or with other types of damage leading to unanticipated reduced margins of safety. These 
include multiple fatigue cracks in metallic structure, or low energy impact damage, which for 
composite structure is below that which results in BVID. 

NDI procedures and their inspection intervals are documented in the maintenance technical 
manuals associated with each aircraft [33]. The inspection results are recorded, either manually 
or electronically, and kept with the associated aircraft throughout its service life. Current 
protocol utilizes the inspection data in order to make case-by-case decisions regarding the 
specific component. Airframe components are managed using a damage tolerance approach. 
Damage tolerance components are managed using periodic inspections based on fatigue crack 
growth predictions [34], The results of each inspection are used to determine if the existing 
damage is safe for operation until the next scheduled inspection. If the damage is benign, no 
action is necessary. If the damage may result in a safety concern prior to the next inspection, then 
the component may be repaired or refurbished if a certified process exists, or may require 
replacement if no certified process exists or if the damage is determined to be too extensive [35], 
Inspection criteria based on damage tolerance predictions have been adjusted based on 
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operational history, allowing for a reduction in applied factors of safety without reducing the 
actual operational safety of aircraft. This has proven to be an effective and safe approach since 
the implementation of damage tolerance approaches in aircraft management, as airframes have 
only undergone incremental changes. However, with the introduction of composite materials in 
primary structure and the widespread insertion of new aluminum-lithium alloys, less is known 
about the long term performance of these materials thereby requiring the application of higher 
factors of safety than are used for most current aircraft. For fracture critical components (e.g., 
within landing gear or turbine engines), replacement is the only course of action upon finding a 
flaw. 

Fracture critical components are defined as components whose failure represents a hazard to the 
entire aircraft [36], Currently, fracture critical structural components within commercial aircraft 
are designed based on the safe life approach [37,38]. Within the book life or within a specified 
inspection period, whichever is less, a damage tolerance fatigue crack growth analysis must be 
performed to determine whether the component has adequate margin for failure from material, 
manufacturing, or service induced flaws or cracks. The safe life approach states that a component 
should be retired when the book life is reached, or when there is an inadequate fatigue crack 
growth margin prior to the next scheduled inspection. The book life for a component expected to 
fail due to crack growth is based on the number of fatigue cycles to crack initiation. For the case 
of a commercial aircraft turbine component that is designed for low cycle fatigue, a cycle is 
considered one complete flight that includes take-off, cruise, and landing. When designing a safe 
life component, stresses are obtained by conducting a finite element analysis with load and 
temperature inputs based on assumptions, tests, and previous experience. Material properties 
(e.g., fracture and creep resistance) are based on an extensive specimen scale data base. To 
account for load, environment, and material variability as well as deficiencies in design tools, a 
statistical rule is typically applied [39]. As is the case for the insertion of new materials in a 
damage tolerance design, the use of new materials in safe-life designs where there is little to no 
operational history requires the use of more conservative design margins. It is necessary to 
monitor new materials closely and evaluate design criteria as an operational history is 
established. 

As described above, aircraft operators rely on visual and relatively simple inspection tools for 
assessment of airframe health. Due to the costs associated with advanced NDI tools, operators 
are reluctant to purchase all but the most simple inspection tools. For this reason, current tools 
have been developed that are simple to use and relatively inexpensive. For example, General 
Electric and Boeing jointly developed a probe system for 787 airframe inspection [40], The 
probe provides a pass/fail indication after the probe is calibrated using a calibration block of 
properties suitable for the inspection location. This tool still relies on the operator to map the 
defect in order to determine size. While scanning systems have been developed [41], cost can be 
prohibitive for operators. Although some work has been done, overall, Structural Health 
Monitoring (SHM) is limited in sensor requirements, standards, and polices, which leads to 
variability in product development and demonstrations [42], Although SHM systems have many 
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potential benefits, they are typically demonstrated by monitoring a hot spot where damage 
already exists or is likely to form [43]. 

The Aerospace Industry Steering Committee on Structural Health Monitoring and Management 
(AISC-SHM) is working on a document “SHM guidelines for aerospace” to address an overall 
SHM approach. The document is targeting a 2012 release date. The team includes the large 
aircraft manufacturers Boeing and Airbus, and NASA. This group is “an international team 
comprising industry, government and academic participants with a collective vision to efficiently 
and effectively implement structural health monitoring for a wide variety of commercial and 
military aerospace applications through the development of guidelines, procedures, processes 
and standards for implementation and certification of the technologies.” [44], Aviation Week 
picked SHM and Aircraft Health Monitoring as 2 nd and 3 rd on their list of 10 technologies to 
watch in 2011 [45]. 


The SOA in Airframe Health assessment is dominated by significant reliance on visual 
inspection followed by NDE techniques as problems are identified. A safe life approach is 
used in the design of component materials, which includes a set lifetime for component parts. 


4.3 State-of-the-Art in Avionics Health Assessment 

In this section we briefly review the current industrial capability and emerging technology most 
relevant to the health management of the safety critical electrical systems identified earlier in this 
report. First, Electrical Wiring is discussed, and then a range of other avionics systems. 

4.3.1 Electrical Wiring and Interconnect System (EWIS) 

The current FAA rules for EWIS design, recently updated in November 2007, take almost every 
practically feasible precaution to ensure best practices for wiring system design and maintenance 
are followed [46], However, there are currently no automated non-destructive evaluation 
methods required to ensure that these systems remain safe between regular inspection intervals, 
and in part this is because the required technology either does not yet exist or is not yet mature 
enough. 

4.3. 1.1 Test Equipment 

The industry standard method for detecting and diagnosing wiring issues is Time Domain 
Reflectometry (TDR). This technique works by first inducing an electric pulse on a target wire, 
and then analyzing the reflected response for anomalies that may be indicative of a fault. The 
distance to fault is determined by timing the return of the fault’s reflection relative to the incident 
pulse, the speed of propagation, and the length of the wire. The phase (or sign) of the reflection 
distinguishes between open and short conditions. 

Although TDR is viewed as an industry standard, the reflection results can be difficult to 
interpret and the technology has so far found success primarily in the ability to detect hard open 
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or short circuits, as can be seen, for example, in the 2007 FAA study of currently available off- 
the-shelf systems [47]. There are several well-established manufacturers of TDR test equipment 
for use in the aviation industry [48-50], There are also a wide variety of variations on the TDR 
method, such as Frequency Domain Reflectometry (FDR), Time-Frequency Domain 
Reflectometry (TDFDR) [51,52], Spread-Spectrum TDR (SSTDR) [53], Pseudo-Random Binary 
Pulse TDR, Broad-Band Impedance Spectroscopy [54], and Excited Dielectric Test [55] 
methods. Each of these methods employs essentially the same physical mechanism where an 
input voltage signal is applied (but different in each case) and the cable response is measured and 
analyzed through a variety of signal processing techniques, both basic and advanced. Finally, we 
mention here that approaches to new wiring designs that enhance TDR based fault detectability 
(as well as self-healing materials) have been investigated as well [56], 

Another fundamentally different technology offered by industry for diagnosing wire faults, 
including some types of intermittent and chafing faults, are Low Energy High Voltage (LEHV) 
and Pulse Arrested Static Discharge (PASD) systems. In LEHV, the target wire is slowly 
charged until an arc-event occurs at the fault location. In PASD a short high voltage pulse is 
launched onto the wire, at increasing amplitudes, until a breakdown occurs at the fault location 
[57]. In both cases, the wire fault is located by processing the arc-event waveform measured at 
the source. Both of these technologies are only applicable to un-powered wires, require relatively 
small air gaps between the powered and grounded conductors (so that an arc can occur), and are 
sensitive to environmental factors like humidity. It is also difficult to prove these technologies do 
not degrade wire performance over long term extended use. Two manufacturers have teamed to 
offer a single wire integrity test tool that combines the latest high-voltage and TDR based test 
technologies [58], Other companies offer complete ground based wiring system analysis 
capabilities that combine the many different technologies to perform continuity, insulation, and 
isolation tests [48]. 

Finally, at least one company [59] has also developed a fiber optic wiring degradation detection 
system combined with a diagnostic and prognostic monitoring system. This consists of multiple 
optical fibers strung with the harness. Should the harness suffer pinching (e.g., clamps that are 
too tight, poor hatches) fiber(s) would be damaged and therefore the point of damage could be 
determined with the use of optical domain reflectometry. A more extensive summary covering 
many of these variants and more is presented in [14]. 

4.3. 1.2 Wiring System Design/Analysis Tools 

Companies also provide assessment software capabilities to ensure the FAA wiring system 
design rules are met given routing and zoning (relative areas on the physical structure of the 
aircraft) information [60]. In particular the process helps to assure adequate separation and 
segregation of aircraft wiring, thereby minimizing the potential for a single failure to have 
catastrophic consequences. Additional services including aircraft wire management systems, arc 
damage modeling tools, risk assessment and service life extension programs are also offered. 
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4.3. 1.3 Emerging Wiring Technologies 

In addition to the established regulations, inspection, and software tools mentioned above, a 
variety of new hardware capabilities relevant to built-in online wiring system health management 
are emerging. In particular, the following relatively new developments along with NASA’s 
contributions (discussed later) hold promise for enabling automated preventative fault detection 
for the most critical wiring on an aircraft. 

• New solid-state power controllers and distribution systems are replacing mechanical 
circuit breakers and relays in new aircraft, while at the same time shortening wire lengths 
and simplifying much of the wiring system design. Specific examples include the Boeing 
787 [61], and the Gulf Stream G650 [62], In addition, these power controller systems can 
provide arc-fault detection, electrical load protection, monitoring and shedding, and even 
some diagnostics and prognostics capabilities — possibilities include incorporating line 
replaceable unit (LRU) feedback and the trending of load current and power usage with 
time for example. 

• Small (1- by 1-cm) Spread-Spectrum TDR integrated circuits (ASICs) are now just 
emerging that have the potential to be embedded into a variety of systems, including 
connectors, for online intermittent fault detection in possibly high noise environments 
[58], 

4.3.2 Other Avionics Systems 

Health management for avionics of aircraft has evolved greatly from the earliest push-to-test 
built-in test equipment (BITE). Many aircraft today employ a centralized computing system that 
gathers fault indications from modular subsystems, performs root cause diagnostics, and 
recommends maintenance actions. The root cause determination is performed with the aid of 
models that encode the propagation of fault effects to observable symptoms. Model information 
is contained in a database that can be updated and loaded to the monitoring system without 
requiring changes to the functional code [63], 

However, components that are critical to the proper operation of safety-critical avionics, such as 
the power semiconductors and capacitors that can, for example, affect navigation equipment, are 
not instrumented to the degree that enables detection of failure precursors. Until recently, it was 
believed that there were no indications of impending failures in these components. This turns out 
not to be the case, and similar to mechanical systems, electronics undergo a measureable wear 
process from which one can derive features that can be used to provide early warnings to failure 
[64]. 


4.3.2.1 Electromechanical Actuators 

Health management for electrohydraulic and electromechanical actuators (EHAs/EMAs) is an 
emerging field that is rapidly gaining importance as newly designed commercial aircraft are 
developed. For example, the Boeing 787 and Airbus 380, use more EMAs in roles traditionally 
reserved for purely mechanical hydraulic systems. Even though EMAs have been studied 
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extensively from a functional point of view — in order to help develop new and improved 
designs — studies from a health management point of view have been rather limited. The reason 
is largely attributed to unavailability of operational fault data from fielded applications. Because 
of this, early research efforts conducted by industry and government partners have focused on 
identifying critical fault modes and the development of EMA fault testing and aging capabilities 
in the lab; along with the fault diagnostics and prognostics methods needed for health 
management. Below we provide a brief synopsis of current developments detailed in [65], 

Initial and ongoing industry efforts have focused on developing accelerated aging and test 
methods for EMAs in a lab environment. In some cases, test rigs were developed to allow for 
fault injection covering a wide spectrum of electrical, mechanical, and sensor faults. Particular 
faults frequently studied include: spalling, backlash, ball return jam, and stator coil failure (not to 
mention wire chafing and connector issues) to name a few. See [19] for a full summary. Aircraft 
original equipment manufacturers (OEMs), like Boeing, have also shown considerable interest in 
developing EMA health management technology. In one collaborative effort between Boeing, 
Air Force Research Lab (AFRL) and Smiths Aerospace in 2006, an Aircraft Electrical Power 
Systems Prognostics and Health Management (AEPHM) system was developed to address faults 
in electric actuation among other things. One conclusion from this study was that the existing 
indicators had limited sensitivity to be able to distinguish between various EMA fault modes and 
more investigation was required to determine the appropriate sensor suite and signal processing 
methods. Finally, companies like Ridgetop Technologies, in collaboration with NASA, have 
focused on developing health management methods for power electronics components of EMA 
systems. 

Diagnostic health management algorithms for EMA and EHA fault detection are broadly divided 
into two types: model-based and data-driven. Model-based schemes rely on system models 
developed from the underlying knowledge about the system and how it works (using physics for 
example), while data-driven schemes do not require such models but instead require large sets of 
exemplar failure data, which is often not available. For example, current and voltage sensor 
outputs in an EMA can be modeled using physics-based differential equations, which in turn 
enable model-based diagnosis of faults. On the other hand, modeling accelerometers is better 
suited to a data-driven, feature-based, diagnosis approach. Thus, the current overall approach to 
EMA diagnostics synergistically combines the model-based and data-driven diagnosis 
techniques. Example approaches for both EHA/EMAs are presented in [65, 66]. 

4.3.2.2 Batteries 

Health determination for aviation batteries is typically to the level of pass-fail tests to determine 
whether to replace the batteries. Measuring the open circuit voltage, which is applicable only to 
sealed lead-acid batteries, is the simplest method but also the least effective as it determines the 
state of charge rather than the state of health. For rechargeable batteries, discharging to a fixed 
cut-off voltage generally provides a more accurate measure of battery capacity. However, this 
typically takes several hours, requires removing the battery from the aircraft, and requires special 
support equipment — hence it is impractical. Alternatively, the battery voltage can be measured 
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in-situ while subjecting it to a load for a short period of time. This is more practical but does not 
indicate the reserve capacity of the battery [21]. Another method is to use electrochemical 
impedance spectroscopy, which avoids having to load the battery but requires special equipment. 
Conductance testing can also be combined with sensing other battery parameters such as 
temperatures and the amount of float charge [67]. 

Recent research has gone beyond a pass/fail diagnostic state assessment to exploring the 
practicality of predicting end of life for batteries. Based on end user requirements and available 
resources, different techniques of varying complexity may be appropriate. For situations where 
the rate of capacity degradation is slow, simple regression methods can perform well as more 
data are accumulated and predict far enough in advance to avoid catastrophic failures. When 
accuracy and precision of predictions are important, more sophisticated techniques that employ 
underlying physical models perform better at the expense of computational complexity [68]. 

The State-of-the-Art in Avionics Health management involves a limited amount of automated 
flight and ground capabilities, although a number of systems are not monitored even as the 
vehicle becomes more electric. In particular, wiring is the core of the avionics system with 
limited capabilities for on-board inspection. 


4.4 State-of-the-Art in Propulsion Health Assessment 

Engine Health Management (EHM) systems are typically more complex than health 
managements in other subsystems. This section describes EHM systems that assist aircraft 
operators in managing the safety, availability, and affordability of their propulsion assets. The 
functionality of the EHM system has some notable features beyond health management in other 
subsystems. The functionality provided by an EHM system includes monitoring, detection, 
isolation, and providing recommended inspection and maintenance actions to address 
deterioration, faults and failures. EHM systems are unique, and vary in their design dependent 
upon the application needs of the end user [69]. Figure 4.2 shows a representative EHM system 
architecture. Here, both onboard and off-board (ground-based) EHM functionality are shown. 
Onboard, an Engine Monitoring System (EMS) acquires data and performs built-in-tests and 
other engine monitoring functions such as detection and status assessment. Taking a broad 
definition of EHM, the onboard system can also be viewed to encompass functionality such as 
engine control fault detection, isolation, and accommodation logic as well as cockpit alerts, 
indications and warnings. Onboard information is transferred off-board to a ground-based EMS 
through a data link. Ground-based functionality includes fleet-wide engine trend monitoring and 
fault diagnostics. This information is ultimately converted into actionable information used for 
maintenance and logistics planning purposes. This can range from replacing a line replaceable 
unit on the flight line to conducting a complete engine overhaul. 
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Figure 4.2. — Engine Health Management System architecture. 


4.4.1 Maintenance Levels 

In order to prevent accidents between major inspections, an understanding of how maintenance is 
performed and on what schedule is necessary. The maintenance levels that are scheduled and 
performed differ in terms of their location, level of urgency, and required turnaround time [70]. 
These levels include: 

• Line maintenance : Performed at the flight line by ground maintenance personnel. This 
involves basic troubleshooting, inspection and the replacement of line replaceable units. 
Often it entails maintenance issues that must be resolved in order for an aircraft to 
dispatch on its next flight. High urgency and short turnaround timeframes are common. 

• Engine shop : On-wing engine maintenance performed at dedicated facilities. Engine 
shops are usually located at airports that serve as major airline hubs. They provide 
general engine maintenance services as well as more in-depth troubleshooting and repair. 
Depending on the urgency of the issue, an operator may choose to postpone maintenance 
until the vehicle can be flown to an engine shop site. This includes time limited dispatch 
faults, which allow an operator to dispatch an aircraft with known faults for a limited 
period of time before maintenance is performed. Often it is more cost effective to address 
such faults at a maintenance shop that provides the required personnel, tools, and 
replacement parts, rather than bringing those parts to a remote aircraft location. 
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• Overhaul facility. Overhaul facilities provide off-wing complete engine teardown, 
inspection, and overhaul services. This helps restore engine operating performance and it 
is critical for ensuring the integrity of engine life limited parts. Engines will undergo 
overhauls only a few times during their lifetime of use. Operators typically have long 
lead times in which to forecast and schedule these events. 

4.4.2 Engine Monitoring System Functionality 

Aircraft EMS functionality is multidisciplinary, spanning many technology areas as shown in 

Figure 4.3. A brief description of each of these technology areas is given below. 



Figure 4.3. — Engine Monitoring System functionality. 

4.4.3 Gas Path Monitoring 

Gas Path Monitoring is associated with the health of gas turbine engine flow-path components 
and controls accessories [71,72], It is performed by relating observed changes in sensed engine 
variables to internal performance-related changes within the gas turbine engine cycle. 
Monitoring and processing engine sensed measurements enables the detection and isolation of 
problems, ultimately enabling corrective action to be taken. Examples of the types of events that 
can be addressed by gas path monitoring include performance analysis of the major rotating 
modules of the engine, sensor faults, actuator faults, and turbomachinery damage. This 
monitoring function primarily relies upon the gas path sensors installed on the engine for control 
purposes. Historically, gas path monitoring came into prevalence concurrent with the 
introduction of digital engine controls and avionics. Prior to this, gas path performance trending 
was conducted manually based on cockpit gauge readings hand-recorded by pilots. The 
introduction of digital avionics and controls revolutionized this process by providing access to 
additional sensed measurements, along with automated data acquisition and processing 
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capabilities. This enabled the inclusion of on-board engine diagnostic functionality, as well as 
ground-based fleet-wide EMS functionality in computer ground stations, which processes engine 
data acquired in-flight. 

4.4.4 Full- Authority Digital Engine Control (FADEC) Fault Codes 

An EHM system can be considered to encompass the fault detection functions that are typically 
performed within the FADEC. An electronic engine control performs a number of checks for the 
validation of sensor measurement signals. This includes range checks, rate of change checks and 
cross-channel checks across redundant channels of a dual channel FADEC. This can aid in 
determining when an engine sensor is exhibiting anomalous behavior or failing. Checks on 
actuators, such as position feedback or current-loop checks, can provide independent information 
regarding engine health and the health of various engine subsystems. FADEC failure detection 
algorithms typically generate fault codes that indicate the presences of one (or more) of a list of 
pre-identified failure conditions. Operators must follow prescribed maintenance procedures and 
dispatch limitations pertaining to each specific fault code. This capability has only come into use 
with the introduction of electronic engine control systems. These FADEC fault codes provide 
relatively rudimentary diagnostic capabilities, although these capabilities have become more 
sophisticated over time. 

4.4.5 Component Life Usage Monitoring 

Component Life Usage Monitoring is applied to track the remaining useful life in life-limited 
engine parts. These parts must be inspected on regular intervals and replaced before their usable 
life is expended. Component lifing algorithms track part usage by effective cycle counting [73], 
These algorithms track the number of acceleration/deceleration cycles a component has 
experienced, along with the severity of these cycles. For example, full-power engine takeoffs 
attribute to more life consumption than de-rated power takeoff cycles. Life usage monitoring is 
inherently tied to the disciplines of materials and structures. It enhances safety by enabling more 
accurate life consumption tracking, while also providing operating cost reduction by allowing 
extended component time on wing. A component lifing system functionality typically resides 
both on-board and off-board the aircraft. Often data is acquired onboard, then compressed and 
transferred off-board for further analysis and tracking. 

4.4.6 Lubrication Monitoring 

Lubrication System Monitoring in today’s aircraft engines is often performed post-flight by 
Spectrographic Oil Analysis Programs [74] which analyze oil samples taken from the engine at 
specified intervals. Through this process the chemical composition of the oil is analyzed, and 
checks are made for the presence of contaminants or particles within the oil. Online monitoring 
capabilities often consist of oil debris monitoring systems such as chip detectors which monitor 
for the presence of metallic particles in the engine oil system. If fretting or spalling of engine 
mechanical components occurs, metal particles are generated and released into the system oil. 
The chip detector sensor contains a magnet to attract any metal particles that may be present in 
the lubrication system. When a particle becomes attached to the chip detector magnet an 
electrical circuit is completed and a warning can be generated to have the engine inspected. A 
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range of other parameters are monitored included oil level, temperature, pressure and filter delta 
pressure sensors as well as the ability to measure oil debris [75]. 

4.4.7 Structural Health Monitoring 

Structural Health Monitoring for engines deals with the health of rotating gas turbine 
components, which present a dynamic structural health monitoring scenario. In the case of the 
Joint Strike Fighter F135 engine this includes a dedicated fan eddy current system that monitors 
the structural health of the fan blades [76]. The current SOA also relies on vibration sensors, 
which provide a vibration signature to detect faults within the rotating components of the engine. 
Perhaps the most advanced vibration monitoring systems are the current Health and Usage 
Monitoring Systems (HUMS) being flown on rotorcraft that focus on transmission and drive 
train monitoring. Today, commercial turbofan engines are typically equipped with relatively low 
frequency accelerometers that monitor for rotor out-of-balance and high vibration amplitudes. 
Higher frequency vibration analysis, which is being introduced on some military aircraft, has 
been enabled by recent advances in the fields of data acquisition and signal processing. Example 
candidate faults for detection via vibration diagnostics include bearing faults, turbine blade 
failures, gear failures [77], foreign object damage events, disk cracks, and shaft cracks. The 
vibration frequencies of interest to diagnose such faults are dependent upon the design and 
rotational speeds of the components of interest. For example, bearing defects (i.e., ball, inner 
race, and outer race faults) can be diagnosed by monitoring for periodic impacts, which occur at 
the ball passing frequency, which can be estimated from bearing geometry and rotating speed. 

4.4.8 Sensors 

Sensor technology is the foundation upon which EHM is based as it is relied upon to acquire the 
required data. Many of the sensors used for EHM today have multi-functionality. For example, 
the primary function of most of the sensors used for gas path health monitoring is for control 
purposes (i.e., pressure, temperature, rotor speeds, fuel flow, etc.). Dedicated engine monitoring 
instrumentation is included for the purpose of monitoring the fuel system (e.g., fuel inlet 
pressure) and the oil system (e.g., oil pressure, temperature and quantity). Additional 
instrumentation may also be included for monitoring engine vibration levels and lubrication 
system debris monitoring. Sensor technology in some locations within the engine is limited due 
in part to the extreme high temperature operating conditions. 

4.4.9 Host Computing Platforms 

EMS functionality resides in onboard and off-board host computers. For onboard host 
computers, this includes the electronic engine control computer, dedicated engine monitoring 
units, aircraft condition monitoring systems, or central maintenance computers. Key design 
considerations are data acquisition rates, processing speed, and memory requirements. Often this 
restricts the level of sophistication that can be implemented onboard. For off-board host 
computers, dedicated ground station computer systems are applied to host EMS functionality and 
archived fleet-wide databases. There are various approaches for transferring data off-board the 
aircraft. This includes wireless in-flight telemetry ACARS satellite communication, ground 
wireless communication, and manual physical transfer of data such as thumb-drives. 
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The State-of-the-Art in Engine Health Management involves a series of functionalities 
intended to provide health information on the complex engine system. Reports of the engine 
health state are provided post-flight, although visibility into the real-time state of engine 
health is limited, and engine parts are often replaced based on a schedule as opposed to 
condition. 
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5.0 NASA Contributions to the State-of-the-Art and Available Capabilities 

Over many years and a number of programs, NASA has endeavored to advance the state-of-the- 
art (SOA) related to health management and safety technologies. This work has often 
concentrated on technologies, components, and subsystems; in general the state of art of vehicle 
wide health assurance is at an earlier stage of development. This section describes NASA 
contributions to the state-of-the-art and capabilities in both in the relatively newer field of 
vehicle wide health assurance, as well as in the various subsystems. 

5.1 NASA Contributions to the Vehicle State-of-the-Art and Capabilities 

One of the more recent examples of efforts to advance the state-of-the-art in vehicle health 
assurance is the NASA Integrated Vehicle Health Management (IVHM) project concluded in 
2010. The NASA IVHM Project set out to validate tools and methods for automated detection, 
diagnosis, prognosis, and mitigation of adverse events during flight with the goal of reducing 
aircraft accidents and incidents. The IVHM Project made major strides in vehicle health 
management in the area of advanced sensors and sensor systems, data mining, advanced 
diagnostic/prognostics algorithms, software health management, verification and validation, and 
IVHM open architecture. 

In particular, development of a vehicle level reasoning system was initiated under IVHM and 
continues into the System-wide Safety Assurance Technologies program [78-79]. This activity is 
summarized in Figure 5.1 and involves: 


1 . Generic platform reasoner to provide a common code base for one-time certification 

2. Clear separation between components of the vehicle level reasoner: data manipulation 
and state extraction monitors (evidence generation), the reference model that encodes 
aircraft specific configuration, and the reasoning engine (evidence interpretation) 

3. Information and data exchange using standard messaging protocols. This includes 
information from the Flight Data Acquisition Management System Digital Flight Data 
Acquisition Unit (FDAMS DFADU) 

4. A reasoner containing a deterministic set of operators and reusable computational blocks. 
These are distributed to manage scalability and computational tractability 

5. Monitoring of data to capture fault evidence without exposing potentially proprietary 
information. 

6. An offline data mining process for continual learning and update of the system reference 
model for the vehicle. 
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Figure 5.1. — Technical approach of the Vehicle Integrated Prognostic Reasoner [78] 


This vehicle level reasoning system is an example of technologies supported by NASA related to 
health monitoring systems. This vehicle level reasoner is also an example of a framework which 
might be used in an overall Vehicle Health Assurance approach. Examples of IVHM systems 
also exist outside of aeronautics such as space craft based systems also including a system level 
reasoners [80]. 

The impact of IVHM development is now being seen in industry with anomaly detection tools 
(Southwest Airline [81]) to improve the safety of current operations, open source algorithms and 
datasets on a public website (DASHLink) [82], collaborations with industry/other government 
agencies (OGA), flight experiments, world-record development of high temperature sensors and 
electronics, and adoption of specific IVHM technologies in aircraft subsystems. 

Some examples of this impact are: 1) Vehicle level reasoning developments that have influenced 
the design of the Central Maintenance Computer of the 787, Embraer, and other major jets; 2) 
Transfer of the Automation Design and Evaluation Prototyping Tool (ADEPT) [83] Software to 
Gulfstream is being used to help design and analyze new concepts for controlling systems 
functions; pilot fatigue risk management studies are underway at easyJet and ONERA; and 3) 
Engine testing collaboration was formed after the IVHM program leading to researchers at 
NASA, Pratt & Whitney and the Air Force to test IVHM engine technology in a transport scale 
engine [84], 

The ability to safely incorporate technological advances and operational improvements in a 
rigorous and cost- and time-effective manner is essential for enabling the Next Generation Air 
Transportation System. Already, the complexity of current-day flight-critical systems poses 
significant challenges to safety assurance. To address these needs, the NASA SSAT Project is 
developing new paradigms for providing high levels of confidence in safety assurance. In 
particular, an integral part of the safety assurance process is verification and validation, which 
can be very costly and in some cases prohibit novel operations and technologies. Moreover, 
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errors can occur even after verification and validation have been completed on a system because 
of the large number of interactions that the system has with other systems. To enable verification 
and validation of these complex technological and operational developments, the NASA SSAT 
Project is developing new tools and technologies for manufacturers and certifiers to use to 
improve safety assurance for current and future air transportation. These tools and technologies 
will facilitate the implementation of the Concept of Operations described in this document, and 
will be transitioned to the FAA, the Joint Planning and Development Office, industry, academia, 
and other partners to benefit the public. 

Under its Atmospheric Environment Safety Technologies (AEST) Project, NASA is 
investigating sources of risk and providing safety technology needed to help ensure safe flight in 
and around atmospheric hazards. Existing NASA vehicle health management capabilities can 
potentially help in the identification and mitigation of such hazards. For example, real-time 
monitoring of vehicle health can potentially detect and quantify the severity of environmental 
hazards such as aircraft/engine icing and volcanic ash ingestion. This information can in turn be 
used for real-time on-board mitigation functions (e.g., flight controls or cockpit annunciations), 
or used to generate post-flight inspection/maintenance recommendations to address any 
identified environmental-induced damage. Under the VSST Project, ongoing work in the MVS 
and ASC Technical Challenge areas will collaborate with the AEST Project on iced engine 
detection and control mitigation actions. 

Other work involving NASA participation has concentrated on the use of digital systems in 
aircraft. Digital systems have used Hardware-In-the-Loop (HIL) since 1976 [85], The technique 
combines simulation/emulation software with embedded hardware to achieve increased levels of 
model fidelity that includes real world effects. More recently, HIL has been applied to 
Unmanned Aerial Vehicles (UAVs). HIL has been used to validate the hardware and the 
software for a UAV autopilot based on the nonlinear control models [86-87], HIL has also been 
implemented to test intelligent agents that would allow UAVs to operate in civilian airspace 
[88]. The use of the same embedded boards for development and implementation enables HIL 
capabilities or Aircraft-In-the-Loop (AIL). NASA has been using AIL techniques since the 
testing of the experimental X-29 airplane [89-90]. The NASA developed an F-18 Iron Bird 
facility at the NASA Dryden Research Center that provides both HIL and AIL simulation 
capabilities on a F-18 aircraft with hydraulically operated horizontal stabilizer, rudder, and 
ailerons [91]. To reduce risk during flight tests NASA has utilized AIL techniques during pre- 
flight tests on the Hyper-X 43 experimental hypersonic vehicle [92-93]. NASA also intends to 
perform AIL testing of the Global Hawk Unmanned aircraft. 

The concept for Aircraft in the Loop testing of the onboard IVHM system is very simple: couple 
onboard SHM system and the external nondestructive testing (NDE) equipment together and 
allow sharing of data (Figure 5.2). External stimulus, such as loads, acoustics, heat sources, laser 
induced acoustics, etc., can be used to excite the structure so that they can be measured by 
onboard sensors. External NDE techniques can then be compared with the internal IVHM 
sensors to give improved results. Information from external systems can be transferred back to 
the internal system to increase situational awareness of the aircraft. 
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The U.S. Air Force is moving toward this concept and considering the feasibility of creating a 
digital twin for new aircraft. The foundation of the digital twin will be a high fidelity structural 
representation of the entire aircraft [94-95], The concept is to create a digital model of an entire 
aircraft that can be used to virtually fly missions before the vehicle is put into service. After a 
vehicle is put into service, the model for each vehicle is continuously updated with monitoring 
data from each mission. The decision on whether an aircraft structure would need to be repaired 
before its next deployment would come from the current state risk analysis of the operational 
model, i.e., the digital twin [96], This model will be capable of taking inputs of aerodynamic 
loads from either actual or forecasted usage and determining the stresses, strains, temperatures, 
and other environmental states in the structure. This information will be used to drive damage 
progression models that are tightly coupled to the structural model [94-95], 

A unique digital model is created for each aircraft in a fleet, so that condition-based maintenance 
can be performed to inspect specific aircraft or aircraft components which experience more 
severe use, while deferring maintenance on those aircraft or components that experience more 
benign use. While each aircraft has a unique digital model, some data is shared in order to 
determine if any anomalies exist or to better inform each model. For example, it will not be 
necessary to equip each aircraft with sensors for monitoring loads in every critical location since 
sharing information across models can help to better inform all the models across multiple 
locations. 



Figure 5.2. — Concept for Aircraft in the Loop testing of the onboard Integrated 
Vehicle Health Management (IVHM) system. 
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In addition to the digital twin concept being developed within the U.S. Air Force, the other DoD 
agencies and the U.S. Coast Guard are developing some type of structural health monitoring plan 
for improved fleet management. This includes the Joint Strike Fighter that targets the use of 
condition based maintenance and a prognostics health management system across multiple 
components and subsystems. The approach takes into account the logistics chain with 
notifications of the need for maintenance to allow parts to be on-hand [97, 98]. NASA has 
incorporated the digital twin concept into the draft “Modeling, Simulation, Information 
Technology and Processing Roadmap” for [99] and “Materials, Structures, Mechanical Systems, 
and Manufacturing Roadmap” [100]. NASA is also interacting with the Air Force in this Digital 
Twin concept, and will aim to take lessons learned from the Joint Strike Fighter program. 


NASA has invested significantly in a range of technologies that affect vehicle level system 
safety and health. Examples include advanced material systems and integrated health 
management technologies. These and other investments are beginning to see implementation, 
but the overall state of Integrated Vehicle Health Assurance is at a low level of maturity. 


5.2 NASA Airframe Contributions and Capabilities 

5.2.1 NASA Historical Airframe Contributions 

5.2.1. 1 Damage Tolerance/Materials 

In the early 1950s, several fatal accidents involving De Havilland Comet aircraft shocked the 
aviation community. The root cause for these accidents was determined to be fatigue cracks 
growth, a damage mode that had not been considered when designing the aircraft structure. At 
the same time, George Irwin at the Naval Research Laboratory was developing new concepts in 
the field of fracture mechanics that could be directly applied to engineering structural materials. 
[101]. By applying fracture mechanics concepts to the study of crack growth, the concept of 
damage tolerance for engineering structures was formed. Throughout the 1950s and 1960s, 
NASA played a critical role in developing the principals of damage tolerance for aero structures. 
Here, the structure is considered to be damage tolerant if a maintenance program can be 
implemented that will result in the detection and repair of accidental damage and fatigue crack 
growth before such damage results in the residual strength being less than that required during 
operation. By the early 1970s most aircraft structures were designed and managed using damage 
tolerance principals. Inspection intervals are set based on life estimates, the number of cycles or 
missions for an assumed minimum sized crack to grow to a critical size. A critical development 
in determine safe inspection criteria was the development of software codes which utilized 
fatigue crack growth rate data to determine life and inspection cycles. The first commercially 
successful code was developed by NASA (NASGRO), although this code was first intended to 
be used for spacecraft, it was found to be of great value in damage tolerance criteria for aircraft 
as well [102], The codes in use today with aircraft manufacturers and the DoD (i.e., AFGRO) are 
largely derived from the NASGRO code. 
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April 28, 1988, marked another significant event in the application of damage tolerance 
principals to aircraft structures. On this date Aloha Airlines flight 243 experienced an explosive 
decompression in flight. The investigation determined that multisite damage resulted in the 
linking of small fatigue cracks to create a critical damage event. NASA and the FAA created a 
joint program to study this damage and to better understand the damage processes present in 
aircraft structures as a vehicle ages. As a result of this program, new knowledge in the areas of 
corrosion, corrosion fatigue, wide spread fatigue damage and crack closure were applied to 
damage tolerance philosophies to mature the engineering practices and improve safety margins 
[103], 

For the past two decades, the primary focus of study in the area has been to reduce the 
uncertainties associated with damage propagation in aero structures. This work aims to insure 
greater safety and enable reduced aircraft weight as well as developing damage tolerance 
approaches to emerging material systems that are highly anisotropic, and therefore are difficult to 
rationalize in the continuum approaches used in current damage tolerance design. Lightweight 
metallic materials, such as aluminum-lithium and titanium alloys, and composite materials are 
highly desirable for use in aircraft structures for weight savings. However, damage initiation and 
evolution are much more difficult to predict and model than in materials that have historically 
been used in aircraft structures. As such, NASA has contributed greatly to understanding damage 
processes in these emerging materials systems and much of this work has enabled the inclusion 
of new materials in military and civilian aircraft [104], 

5.2. 1.2 Inspection and Monitoring 

Over the years, NASA has contributed to the SOA in airframe inspection. For example, NASA 
developed computational, experimental, and nondestructive evaluation methods to understand 
the structural failure that resulted in the loss of the vertical tail of an Airbus A3 00 flying as 
American Airlines flight 587 on November 12, 2001. This effort supported the National 
Transportation Safety Board’s investigation of the accident and was the first time that 
progressive failure analyses were used to explain the failure of a flight structure made of 
composite materials. Various other techniques including thermography, ultrasonic inspection, 
and eddy current inspection have been developed to address the needs of the current aircraft fleet 
[105], As a result of these contributions, technology has been transferred to private industry for 
commercial product development. For example, Krautkramer Branson, now a division of 
General Electric Measurement and Control, licensed a self-nulling eddy current probe developed 
by NASA. The development of fiber optic technology with corresponding data sampling 
approaches has been on-going. These fiber optic systems have been demonstrated in-flight on the 
vehicles such as the NASA Ikhana UAV [106] with a broader range sensor coverage than 
available with standard wire technology. Another notable application includes the integration of 
wireless impact monitoring sensors on the wing leading edge of the Space Shuttle to monitor for 
structural damage [107], 
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5.2.2 NASA Airframe Capabilities 

5.2.2.1 Materials for Airframe Health Management 

NASA is developing several material concepts that are intended to intrinsically improve health 
management through improved material and structural durability as well as developing materials 
designed to enable structural health monitoring. Of these material concepts, several were 
envisioned at NASA and have been submitted through the patent process [108-110], These 
materials have been demonstrated through proof-of-concept level and are being evaluated for 
specific damage processes for legacy and next generation aircraft and concepts for component 
replacement, repair and design of new material systems are being developed. 

5.2.2.1.1 Healing Materials 

Several healing material concepts have been proposed over the past 10 years. A majority of these 
concepts encapsulate a monomer within a capsule or hollow tube within a polymer matrix 
composite [111]. When propagating damage results in rupture of the capsule, the monomer is 
released and reacts with catalyst that is distributed throughout the matrix. While this concept is 
extremely promising, the concept has proven difficult to implement in aero structures due to 
temperature limitations and for the fact that it only addresses matrix cracking in polymer matrix 
composites. The self-healing composite concept currently being investigated by NASA is a 
thermoplastic resin that can be manufactured as a fiber reinforced composite, which has been 
shown to heal damage induced from impact events. Here, damage is healed and the material is 
returned to near initial state prior to damage progression. As impact damage is of particular 
concern for new aircraft containing primary composite structure, the inclusion of these materials 
in components prone to impact events could result in a more damage resistant airframe. 

Fatigue crack growth is the critical damage process in metallic airframe components. Although 
new aircraft designs are utilizing increased composite content, the current commercial aircraft 
fleet is predominantly comprised of metallic primary structure and the majority of the fleet for 
the next 25 years is expected to be dominated by vehicles comprised mostly of metallic primary 
components. Consequently, the development of a healing concept for improved durability of 
metallic components is also desirable. Here, a thin fdm concept has been developed where the 
healing agent can be activated to flow into an existing fatigue crack resulting in the mitigation of 
damage propagation. The thin film can be applied to the entire surface of components or near 
“hot spots” prone to damage. Since it is a thin film application, this concept can be used for new 
or replacement components or applied to existing components that may be found to experience 
damage. Since the film is applied to the structural material, the technology should be easily 
inserted into service and should not require the extensive certification that is necessary for new 
structural materials. 

5.2.2.1.2 Sensory Materials 

The ability to monitor damage in a structural material using NDE sensors is limited by the 
physical interaction of the sensor with the material. Material selection and damage detection are 
usually considered separately. However, sensory material concepts attempt to integrate systems, 


NAS A/TM— 20 13-217825 


42 



which facilitate the measurement of damage within a structural material. The concept currently 
being examined by NASA is to embed particles within a metal matrix which undergo a phase 
transformation upon being strained. This concept utilizes existing NDE sensors to monitor 
damage in real time using on-board sensors (acoustic emission) and more accurate and detailed 
examination can be performed using Eddy current probes to measure the size and location of the 
damage. This two-fold approach has the potential to insure that all damage will be found and no 
structural damage will go undetected, even in locations that are very difficult to access and 
inspect using current methods. 

5.2.2. 2 Inspection Techniques and Sensors for Airframe Health Management 

Currently, NASA is furthering the SOA through development of analysis tools for collected data. 
Advanced thermographic data reduction techniques have been demonstrated for defect sizing and 
material aging. Analysis tools for guided wave imaging techniques are under development to 
reduce collected data to quantifiable results suitable for airframe health prognosis. NASA has 
made significant contributions to the field of sensor technologies for airframe health monitoring. 
As part of the Aviation Safety program and as detailed below, NASA has developed fiber optic 
sensor technology that, coupled with NASA developed interrogation techniques, permits 
distributed measurements for evaluation of airframe state. NASA has also developed in this work 
distributed strain sensing for the purpose of detecting off-nominal strain fields in airframe 
components. Causes for off-nominal strain fields are, for example, fastener failure, structural 
component failure, and excessive loading. In addition, lightning detection methods using fiber 
optic cables have been demonstrated. Additionally, NASA developed carbon nanotube (CNT) 
sensors as a low weight, microminiature sensing technology suitable for integration into 
structures [112]. Further highlights of these capabilities are described below. 

5.2.2.2.1 SAW Strain Sensors 

Surface Acoustic Wave (SAW) devices are being developed for passive wireless strain sensors. 
These sensors would not require batteries and are capable of working in harsh environments. 
SAW devices have been demonstrated to work in environments from cryogenic to high 
temperatures, and are immune to vibration, radiation, and pressure changes [113]. SAW devices 
have proven to be extremely sensitive to strain. The Decadal Survey of Civil Aeronautics: 
Foundation for the Future, identified IVHM as the top NASA and national priority within the 
area of materials and structures [114]. The survey also identified IVHM systems that warrant 
attention over the next decade such as “locally self-powered, wireless microelectromechanical 
sensors of various types tiny enough that very large numbers of sensors become practical.” Strain 
gages have been used to monitor load conditions and fatigue, and to detect cracks in airframes 
[115-116], 

Surface Acoustic Wave (SAW) devices have proven to be extremely sensitive to strain. Crack 
detection sensitivity of 0.01 mm has been demonstrated using these devices [117]. For these, and 
many other reasons [118], standard strain gages have been used to detect cracks in aircraft [115]. 
For example, a system capable of 1 microstrain (ps) resolution has been demonstrated for crack 
monitoring both before and after repairs [119]. Therefore, 1 ps was established a good sensitivity 
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target for SAW strain sensors. The current SOA for wireless sensing of strain is MicroStrain 
Inc.’s SG-Link wireless strain gauges with a sensitivity of ± 2.5 ps, weight of 46g, and a volume 
of 73.89 cm 3 [120], The SAW devices we propose to investigate shall be at least an order of 
magnitude better sensitivity (± 0.25 ps), volume (7.39 cm3), and mass (4.6g). 

5.2.2.2.2 Fiber Optic Strain Sensors (FOSS) 

Strain and temperature sensing fiber has long-term applications for IVHM research. Fiber 
sensors can be active or passive interrogation devices. Fiber Bragg grating technology is 
NASA’s primary focus in this area, however Rayleigh and Raman scattering techniques could 
also be used in the same fiber. The primary benefit from this technology is that several hundred 
gratings within one fiber spanning many meters can be demodulated for damage detection and 
monitoring at multiple locations [121-122], Fiber can also be embedded into the structure (e.g. 
even metals [123]) or temporarily attached using an adhesive tape. The sensor information is 
generated using laser light and processed with photodiodes through electronics. This information 
can be processed in situ or compressed and sent through telemetry to storage or processing. 
Using this technology a large number of strain sensors with low power consumption and weight 
per sensor can be used to collect strain data at one or several fixed locations on an aerospace 
vehicle, analogous to an animal spinal column with fiber nerves. 

Frequency domain scanning of Bragg gratings allow high sensor density with lower sampling 
rate compared to time domain sensing. Advances in laser technology are linked to increases in 
the sampling rate. Luna Innovations, Inc. has licensed the patent for this technology from NASA 
and continues to develop laser technology and signal processing techniques for commercial 
applications [122], Luna’s work continues to increase the system sampling rate, along with that 
of NASA Dryden. NASA is exploring new ways to use this technology for IVHM using system 
modeling and expanded applications such as thermography [124], 

Fiber optic Bragg grating devices are used as distributed strain and temperature sensors inside 
single mode fiber. Hundreds up to thousands of sensors can be written in the fiber as individual 
sensors [125], These sensors are immune to electromagnetic noise, corrosion, can be used in 
harsh environments, and do not pose an ignition source so they can be used in potentially 
explosive environments [126]. This is a drastic improvement over conventional wired strain gage 
systems. The fiber can be interrogated in-situ to collect structural information during and after 
flight. Temperatures have been measured at -269°C with a 600°C maximum calculated 
temperature [127], 

5.3 NASA Avionics Contributions and Capabilities 
5.3.1 NASA Historical Avionics Contributions 

Broadly speaking NASA’s recent contributions to health management for avionics systems is 
focused on completing the research and early development needed to enable the next generation 
of prognostics and diagnostics capabilities for the safety critical areas discussed in the Section 
3.3. In many cases this work may ultimately allow industry to put systems in place that can 
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automatically spot the early onset of problems, predict time to failure, and help maintainers 
address issues long before they become safety critical. 

5.3.2 NASA Avionics Capabilities 

5.3.2.1 NASA Capabilities in Electrical Wiring and Interconnect Systems (EWIS) 

The Vehicle Systems Safety Technologies project currently funds research focused on 
developing advanced physics-based models and algorithms for detecting chafing to commonly 
used types of shielded impedance controlled aircraft cable (e.g., coax and twisted-shielded pair). 
While this type of cable is traditionally used to transmit bus or RF communication signals, 
twisted shielded pair cable in particular can also be used to distribute power (although this is not 
current practice, with the move towards composite materials it may become better practice to 
transmit power and ground signals together). The contributions from this approach fill gaps in 
the SOA industry capabilities summarized above. In addition, NASA’s research holds promise 
for resolving many of the technology barriers, listed below, currently preventing chafing fault 
detection in the field [128, 129]. 

• Changing impedance along the length of some cables causes large reflections that mask 
chafing fault signatures, especially in field environments. 

• Prior knowledge of baseline measurements and how these baselines change over time in 
an operational environment is required for the nominal un-faulted cable, which can then 
change over time in an operational environment. 

• Expert knowledge is needed to interpret the measured TDR fault signatures, which are 
often buried in noise. While this knowledge can sometimes be automated using data 
driven supervised machine learning methods, it does not stem from the underlying 
physics of the problem. 

• Fault detection signal processing is usually based on ad-hoc methods such as classical 
correlation (matched filter) methods that do not correctly account for frequency 
attenuation with cable length, or the fact that a single fault produces multiple reflection 
“signatures” within a single TDR measurement. 

• Limited ability to map the fault reflection “signature” back to the actual fault size and 
fault location to quantify the measurement uncertainty — mostly this is because the true 
velocity of propagation for any particular cable is unknown ahead of time. 

The model-based optimal fault detection algorithms, currently under development in VS ST, use 
the measured time or frequency data to automatically estimate the model parameters, which 
include the physical fault location and size, and quantify error in a Bayesian probabilistic 
framework (including velocity of propagation). Under this paradigm, baseline measurements are 
not necessary and users no longer need to interpret raw TDR time signatures, since the model 
provides these capabilities. Furthermore, the rigorous physics-based approach to fault detection in 
a single cable enables the characterization of the best possible fault detection trade-space that 
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answers the question: how far away and how small can the fault be detected for a given cable? 
And answering that question in the context of physics, as opposed to field studies (which are 
important but also difficult to control, expensive, and time consuming), leads naturally leads to 
better cable and wiring system design principles. These capabilities all make steps towards 
enabling important aspects of condition based wiring maintenance with applications to commercial, 
general, and military aviation (not to mention a wide array of non-aerospace related fields). 

5.3.2.2 NASA Capabilities for Other Avionics Health Monitoring Systems 

The System-wide Safety Assurance Technologies (SSAT) project funds the development of 
modeling methods and algorithms with wide applicability to the prognostics and diagnostics of 
electronic and mechanical system issues in aircraft, including all of the related avionics 
subsystem components discussed previously (see Section 3.3.2 Avionics Emerging Factors). The 
algorithms are also evaluated on specific relevant test platforms and compared for performance 
through NASA Ames Research Center’s Advanced Diagnostics and Prognostics Testbeds 
(ADAPT) lab [130], Particular examples include the important contributions to capacitor, 
electro-mechanical actuator, and battery health management summarized in the section above, 
and detailed in the references [19, 131]. 

Notice the complementary nature of research efforts between these two Aviation Safety Program 
projects: VS ST funds research into health management for a specific vehicle system that affects 
almost all other electronic systems (wiring), while SSAT funds the development of broad 
methods and algorithms that can be applied to a large variety of electrical and mechanical 
systems, and evaluates them for important specific subsystems and components. This dual 
approach optimizes coverage of the most important issues in avionics health management. 

5.4 NASA Propulsion Contributions and Capabilities 

5.4.1 NASA Historical Propulsion Contributions 

Over the years NASA, working in collaboration with external partners, has made significant 
contributions to the SOA in aircraft engine health management. NASA contributions in the areas 
of gas path diagnostics, mechanical component diagnostics, structural lifing, and sensing 
technologies are further discussed below. 

5.4.1. 1 Inspection and Monitoring 

5.4.1. 1.1 Mechanical Component Health Monitoring 

Over the years, NASA has made numerous contributions in the field of mechanical component 
health monitoring, most notably in support of rotorcraft gear and transmission monitoring for 
Health and Usage Monitoring Systems (HUMS) applications. Much of this work has been 
conducted in collaboration with the U.S. Army. This includes extensive research in gear and 
gearbox vibration diagnostics [132], as well as transmission system [133] diagnostics. 
Additionally, the NASA has also evaluated and reported on the benefits on integrating vibration 
and oil debris based techniques for improved damage detection of mechanical component faults 
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[134] , Such information fusion techniques hold much promise for improving the performance of 
future engine health management systems. 

5.4.1. 1.2 Life Prediction of Propulsion Structures 

Understanding and adhering to the safe operating life of critical life limited parts is critical to 
assuring aircraft propulsion system safety. However, accurate life prediction is unique and 
challenging in this application area due to the high stress loads, repeated operating cycles, and 
the high temperatures encountered. Over the years, NASA has made significant contributions in 
area of aircraft engine life prediction. This includes pioneering work in the field of bearing lifing 

[135] and gas turbine engine high temperature alloys [136], This NASA research continues to 
play a fundamental role in establishing the way aircraft engine life limited parts are operated and 
managed today. 

5.4.1.2 Gas Path Health Monitoring 

NASA has been involved in the field of aircraft engine gas path health monitoring for several 
decades. This involvement initiated in the late 1970s under a NASA led effort on aircraft engine 
performance retention, including work in engine diagnostics. In 1981, NASA hosted an industry- 
wide workshop on Aircraft Engine Diagnostics that highlighted many of the foundational gas 
path health monitoring approaches that are still in use today [137]. The NASA aircraft engine 
performance retention program also consisted of contracted efforts with engine manufactures to 
document aircraft engine performance deterioration trends based on historical airline data 
[138,139], The ensuing reports established an understanding and a means to forecast gas path 
module performance deterioration trends. In the 1980s, NASA partnered with industry and the 
DOD on the Performance Seeking Control Technology Program. This entailed the 
implementation of on-board analytical engine models with an associated tracking filter for tuning 
the model to match the performance of the engine based on engine sensor measurements. Such 
on-board models have several applications including engine controls, performance trend 
monitoring and diagnostics. More recently, under the Aviation Safety Program, NASA has 
worked with industry to enhance on-board model technology by combining analytical and 
empirical modeling techniques [140], 

5.4.2 NASA Propulsion Capabilities 

5.4.2. 1 Materials for Propulsion Health Management 

Current and emerging commercial aircraft are utilizing advanced materials in propulsion 
components including advanced Ni-base superalloys for turbine disks [141] and polymer matrix 
composites for engine structures [142-144], Work within the VSST project addresses potential 
safety issues for recently implemented technologies as well as robust design for future emerging 
technologies. New materials have been introduced in propulsion systems for improved 
performance; however, these modifications introduce new potential safety concerns particularly 
under long term use when components in operational environments often experience aging- 
related issues. 


NAS A/TM— 20 13-217825 


47 



5.4.2.1.1 Advanced Ni-base Superalloy Disks 

A turbine disk is a fracture critical structural engine component, as a failure usually results in a 
loss of engine, considerable airframe damage, and the possibility of loss of the aircraft. High 
strength, high temperature disk alloys are susceptible to surface processing defects that have 
been known to cause failures [145]. Twenty five percent of FAA Airworthiness Directives 
publicly issued in the first 6 months of 2012 have been associated with enhanced inspections to 
detect compressor and turbine disk cracking, in order to prevent uncontainable disk failures. This 
cracking is usually at machined surface features and notches. Advanced Ni-base superalloys, 
designed to withstand higher temperatures to improve engine efficiency, are being utilized in 
compressor and turbine disks in current and emerging commercial aircraft [141]. While the 
durability of these material systems was assessed during the material development and engine 
certification, safety issues can emerge as the new technologies accumulate time in service. 

Long term operation of engines at higher temperatures, with the aggressive environments and 
engine contaminants, may result in previously unobserved oxidation, corrosion and near-surface 
changes to the microstructure, which can significantly degrade mechanical properties [146-149]. 
The effect of these near surface changes on disk life must be evaluated. Stable protective 
coatings are being developed for long term service at temperatures up to 760°C to protect disks 
from corrosion and oxidation. Corrosion could lead to premature fatigue crack initiation and the 
failure of a turbine disk prior to the anticipated retirement of the component. A detailed 
characterization and modeling of the near-surface layer after current and advanced surface 
processing, including application of coatings, is needed for more accurate life prediction. Models 
will be developed that can relate environments, coatings, superalloys, and cycling conditions, 
that could later be related to actual engine environmental conditions for various engines and 
flight cycles. The long term goal will be to have accurate life prediction capabilities for advanced 
Ni-base superalloy disks. 

5.4.2.1.2 Composite Materials for Engine Structures 

Composite materials are beginning to be used for fan cases and other engine primary structures 
[142-144], There is limited service experience with composite components, and failure 
mechanisms are not well understood [150-152], Technologies will be developed to provide a 
more robust assessment of safety for these composite engine structures, for both current and 
future applications. Potential effects of material aging in simulated engine environments and 
impact damage from various sources (bird strike, hail, and foreign object debris (FOD)) will be 
investigated to assess safety over the full life cycle of an engine. New test methods, which 
accurately simulate impact conditions for an in-service failure, are being developed to evaluate 
existing and emerging material concepts. Cooperative work with the FAA and universities is 
being conducted to develop more accurate computational impact models that better predict the 
effects of aging on both in-service and processing induced flaws. New nondestructive detection 
techniques are being developed that allow a much higher quality of flaw detection and 
visualization. These combined efforts will lead to a higher level of confidence in assessing the 
structural integrity of proposed and in-service composite engine structures, resulting in greater 
safety. 
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5.4.2.2 Gas Path Health Management 

An emerging approach in the field of aircraft engine design is the inclusion of on-board self- 
tuning engine models for control and health management applications. This technology, which 
has been enabled by advances in flight processing capabilities, consists of an aerothermal engine 
model and an associated tracking filter. The tracking filter, typically based on a Kalman filter, is 
designed to process engine gas path sensor measurements to estimate and adjust a vector of 
model tuning parameters reflective of engine performance. This automated tuning parameter 
adjustment allows the engine model to “self-tune” to match the performance level of the actual 
engine, and produce estimates of measured and unmeasured engine outputs that can be applied 
for performance trend monitoring and gas path diagnostic purposes. Additionally, the model- 
produced parameter estimates can also be applied for controls and prognostic applications. 

A challenge in designing accurate self-tuning engine model technology is the inherent 
underdetermined nature of the estimation problem. Typically, there are more unknown 
parameters than available sensor measurements. Recently, NASA has developed a systematic 
approach for selecting the tuning parameters applied within self-tuning engine models [153]. 
This analytical technique, designed to minimize the model’s estimation error, provides system 
designers a tool that enables them to optimize the tracking filter design for their given 
applications. It also enables them to assess design decisions, such as the estimation accuracy 
improvement that could be gained by adding additional sensors. Application of this approach has 
been shown to yield a significant improvement in model estimation accuracy compared to 
conventional design approaches. 

In addition to improving self-tuning model accuracy, NASA has also recently worked to develop 
a model-based gas path health management architecture designed to process streaming, 
continuous engine data [154], This architecture, like conventional gas path analysis based on 
snapshot measurement data, provides performance trend monitoring and gas path fault diagnostic 
functionality. However, unlike conventional approaches, which are primarily performed off- 
board based on a limited number of snapshot measurements collected at fixed operating points 
during each flight, the processing of streaming data approach collects data over the engine’s 
entire operating profile including transient conditions. This new design, which enables improved 
diagnosis of incipient fault conditions with reduced diagnostic latency, is suitable for either on- 
board or off-board implementation. Implemented on-board, the architecture provides real-time 
continuous health monitoring functionality. Alternatively, as data acquisition, transmission, and 
archival restrictions lessen in the future, the architecture is suitable for processing streaming full- 
flight engine data available off-board. 

To facilitate the development and evaluation of propulsion controls and health management 
technology, NASA has developed transient aero-thermal engine models, which are publicly 
available through the NASA Glenn Software Catalog [155,156], These models, referred to as the 
Commercial Modular Aero-Propulsion System Simulation (C-MAPSS) and Commercial 
Modular Aero-Propulsion System Simulation 40,000 pound thrust (C-MAPSS40k), are 
representative of commercial aircraft turbofan engine designs. They include a realistic closed- 
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loop control system, full-envelope transient simulation capabilities, and the ability to simulate 
gas path system faults. These models enable the initial development and comparison of gas path 
diagnostic methods by members of the engine health management community. 

5.4.2.3 Sensors for Propulsion Health Management 

In order for future aerospace propulsion systems to meet the increasing requirements for 
increased safety, decreased maintenance, and improved capability, propulsion system design and 
operation must become more intelligent [157-159]. NASA is a leader in Microsystems and harsh 
environment-based instrumentation, sensors, and electronics with an existing long-standing 
program in Microsystems and sensors for harsh environments and safety applications. The 
overall program has won four R&D 100 Awards (one of 100 Most Significant 
Inventions/Products of the Year) in the last 15 years, one Nano 50 Award (one of 50 
technologies to impact nanotechnology), a NASA Top Discovery Story in 2007, has been 
nominated for NASA Invention of the Year in 2009, and has received a range of international 
recognitions. Overall, there are a range of technologies where NASA is unique and world- 
leading. 

In particular for propulsion system health monitoring, NASA has been active in developing 
sensor technologies to detect, locate, and identify damage not only by passively sensing their 
surroundings but also actively interrogating it. The sensor development follows the principle of 
considering the complete sensor system including the overall need to reduce sensor size and 
weight, the need to improve sensor reliability, and ultimately to reduce sensor false alarm rate. 
This implies the development of sensors and electronics, with associated packaging, that will be 
able to operate under the harsh environments present in an engine. 

In order to monitor the vast range of components associated with an engine, an array of sensor 
technologies are of interest [27, 157], Figure 5.3 shows the relationship between sensed 
parameters and relevant engine conditions of interest for control/health monitoring applications. 
Among these, temperature, flow and pressure associated with gas path health monitoring are of 
interest, and emissions have correlation to the state of the combustor via combustion process and 
other engine heath conditions. NASA has led the development of a range of technologies 
addressing various aspects of the measurements noted in Figure 5.3. This development has often 
been in collaboration with industry, and motivated by an understanding of the instrumentation 
needs for engine systems [160], The following briefly gives some notable examples; further 
descriptions of the technology and safety applications can be found in references [161,162], 
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• FOD and hot 
gas ingestion 
detection 

• Ice accretion 
detection 

• Inlet shock 
control 


• Stability margin 
management 

• Active stall control 

• Active flow control 

• Life management 

• Clearance control 

• High cycle fatigue 
detection 


• Combustion 
instability control 

• Emissions 
minimizing control 

• Burner pattern 
factor control 


• Active turbine tip 
clearance control 

• Life management 

• Active cooling 
control 


• Domestic object 
damage detection 

• Blade erosion and 
rub detection 

• Afterburner light- 
off detection 


Sensed Parameters 


• Inlet debris 

• Inlet shock 
position 

• Pressure & 
temperature 


• Stall precursors 

• Flow separation 

• Stress, strain 

• Tip clearance 

• Blade time of 
arrival, bending, 
flutter 

• Vibration 

• Pressure & 
temperature 


• Combustion 
instabilities 

• Emissions 

• Burner pattern 
factor 

• Pressure & 
temperature 


• Blade tip to casing 
clearance 

• Turbine inlet 
temperature 

• Blade/vane 
temperature 

• Vibration 

• Stress/strain 


• Exhaust debris 

• Pressure & 
temperature 


Figure 5.3. — Propulsion control and health monitoring technologies and associated sense 
parameters [157]. 


5.4.2.3.1 Self Diagnostic Accelerometer 

Accelerometers are commonly utilized for structural health monitoring of both aircraft and 
spacecraft engines [161-163]. Accelerometers generally monitor machine health by monitoring 
vibration measurements in a particular frequency band for exceedance of acceptable vibration 
magnitudes and rotor-out-of-balance conditions. Real-time sensor validation is necessary to 
prevent a vehicle controller, or facility safety system, from making critical decisions, such as one 
to shut down an engine, on the basis of anomalous sensor data. The Self Diagnostic 
Accelerometer is an electronic diagnostic system that monitors the accelerometer sensor enabling 
a smart sensor system. This system identifies changes in temperature, sensor loosening, and 
sensor structural or electrical damage. This technology provides a real time method of sensor 
validation that can be utilized as part of a propulsion structural health management system to 
improve overall reliability of engine health assessment. 

5.4.2.3.2 Microwave Blade Tip Clearance Sensor 

Microwave sensor technology has been developed as part of a NASA SBIR program as a means 
of making non-contact structural health measurements in engine hot sections [161]. High Cycle 
Fatigue (HCF) of rotating components, specifically blades, is a common failure mode and is due 
to high vibration levels of the rotating components and blades [157, 164-165]. This microwave 
blade tip clearance sensor can be used in the harsh environment of a turbine engine resulting in 
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the capability to make in-situ health measurements of the engine’s rotating components, 
specifically the High Pressure Turbine and High Pressure Compressor sections. This type of 
sensor is accurate, operates at extremely high temperatures, and is unaffected by contaminants 
that are present in engines. This technology can also be used to monitor blade growth and wear, 
and blade tip timing to monitor blade vibration and deflection. A general standard for this sensor 
type is in development [166]. 

5.4.23.3 High Temperature Fiber Optic Sensors 

The high temperature fiber optic sensors aim to provide expanded sensor coverage of sensed 
parameters through the use of fiber optic technology for reliable measurement in hot sections of 
the engine. Optical devices are immune to the effects of electromagnetic interference and 
therefore do not need electrical insulation. This makes the sensors well suited to work in an 
electrically charged environment and in locations where electrical discharge may be an issue. 
Furthermore, the small diameter of the fiber permits easy embedding within structures and 
multiple sensors can be put on a single fiber and there is no need for separate power wires. The 
development of high temperature optical thermal focuses on optical fibers with Fiber Bragg 
Gratings (FBG) written into the fiber operable at temperatures up to 1000°C. A major point to 
note is that these sensors are based on the standard silicon based optical fibers, rather than 
specialized, less available high temperature fibers such as quartz. 

5.4.23.4 Thin Film Physical Sensors 

Thin films sensors including those for strain, temperature, heat flux and surface flow enable 
critical vehicle health monitoring and characterization of engine components. The use of sensors 
made of thin films has several advantages over wire or foil sensors. Thin film sensors do not 
require special machining of the components on which they are mounted, and, with thicknesses 
less than 10 pm, they are considerably thinner than wire or foils. Thin film sensors have a 
minimal impact on the physical characteristics of the supporting components. The need for 
sensors to operate in harsh environments is illustrated by the need for measurements in the 
turbine engine hot section. The degradation processes that occur in the harsh hot section 
environment are poorly characterized, which hinders development of more durable components, 
and since it is so difficult to model turbine blade temperatures, strains, etc., actual measurements 
are needed. 

5.4.23.5 Emissions Sensor Array 

The emissions that an engine produces are understood to be indicative of the state of the 
combustion process, reflective of other engine health parameters, and have direct effect on 
engine bleed air and the cabin environment. An array of sensors placed in the emissions stream 
close to the engine exit could provide information on the gases being emitted by the engine. 
However, there are very few sensors available that are able to measure the components of the 
emissions of an engine in-situ. NASA sponsored and collaborative work with academia and 
industry, as well as funding by the Navy, has concentrated on developing emissions sensors, and 
integrating these sensors into an array that can be placed at the engine exit [167-170], The results 
of the Navy funding showed the viability of this approach to provide measurements comparable 
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to standard instrumentation. This application was for engine qualification, not directly for health 
monitoring. 


5.4.2.3.6 High Temperature Smart Sensor Systems 

Currently, for almost all sensors, actuators, or processing units installed on an engine for 
improved in-situ monitoring of the components, communication and power wires must follow. 
More sensor systems added to the aircraft increases the number of wires and the associated 
weight, complexity, and potential for unreliability. In general, “Wiring on an aircraft is complex, 
difficult to route, heavy and a key source of faults, which lead to delays and cancellations for 
passengers. Engineers thus try and minimize wiring as “every wire is a source of failure and 
every wire adds weight” [171]. Further, sensor reliability and integrity of data is often improved 
by local processing. Work is leading toward self-contained complete wireless sensor systems 
with integrated intelligence that can be applied like a postage stamp, without the need to rewire 
the systems (“Lick and Stick” technology). This High Temperature Smart Sensor System 
approach allows improved sensor data and increased capability to implement the system. It 
involves a complete system: sensors, signal processing, wireless communication, and power 
capabilities. Such technology is viable in silicon (Si) based electronics for near room temperature 
operations [167,168, 172], but is a technical challenge for high temperature environments. 

Beyond the high temperature sensor element technologies described above, development of 
components of the High Temperature Smart Sensor includes: 

• Silicon carbide (SiC) electronics and packaging: NASA has been a world leader in the 
development of SiC electronics with a significant number of internationally recognized 
breakthroughs [173]. SiC has shown the potential of a meeting a range of engine 
application needs [174-176]. Operation of 500 °C has been demonstrated for thousands 
of hours enabling potential implementation in engine conditions for extended periods 
[162,177-178], 

• High Temperature Wireless Communications (500 °C): NASA activities aim to use high 
temperature compatible materials to fabricate a complete wireless circuit [179], Notable 
advancements include demonstration of wireless transmission at near 500 °C of position 
transducer data [180], and 500 °C transmission of pressure data both by wire and 
wirelessly [181]. 

• Power scavenging: Power scavenging using thermoelectrics or piezoelectrics [182,183] 
that take advantage of the energy already present within the engine have notable appeal 
for self-powered sensor systems. NASA has led development of a range of relevant 
thermoelectric based technologies (for 500 °C operation [184-187]). 

The integration of sensors, electronics, power scavenging, and wireless communication 
components has been demonstrated at 300 °C [188], This was considered a proving ground for 
technologies to allow 500 °C smart system operation. 
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5.4.2.4 Vehicle Integrated Propulsion Research (VIPR) Test Program 

Vehicle Integrated Propulsion Research (VIPR), incubated in the IVHM project, is a means to 
test and evaluate emerging health management technologies on a commercial engine, 
incorporating new sensors directly on the engine, providing seeded fault scenarios, and 
evaluating advances in engine diagnostics. This step is critical in order for IVHM technologies to 
mature from lab work and simulations to TRL 6 demonstrations needed for industry acceptance. 
This work is in partnership with the Air Force, which has provided access to two FI 17 high 
bypass turbofan engines and time on operational planes for the ground-based, on-board engine 
tests. In these tests, the research engines are instrumented to achieve NASA and partner goals 
and mounted on a C- 17 aircraft, though it is important to note that the planes are grounded and 
do not take flight. 

A series of tests are planned with overall VSST objective of testing health management sensors, 
sensor systems and algorithms on a high bypass turbofan engine under the following conditions: 
(1) Normal engine operations; (2) Seeded mechanical faults; (3) Seeded gas path faults; and 
(4) Accelerated engine life degradation through volcanic ash ingestion testing 

The first VIPR test took place in December 2011 at NASA Dryden Flight Center/Edwards Air 
Force Base as an on- wing ground test on a heavily instrumented Pratt & Whitney FI 17 high 
bypass turbofan engine. The following VSST test objectives were achieved, along with the 
partner objectives: 

1. VSST emission sensor system test: a) test the sensor system’s ability to detect a simulated oil 
leak and b) changes in sensor response with changing engine conditions 

2. Self Diagnostic accelerometer feasibility test: demonstrate operability of self-diagnostic 
accelerometer in aircraft engine environment 

3. Prepare microwave tip clearance sensor for on-board tests: perform electromagnetic 
interference (EMI/EMC) testing according to aircraft requirements 

4. Validate Gas Path Diagnostics: test analytical model predictions of engine parameters in the 
presence of bleed valve faults (failed, full open; schedule bias) 

Plans for further testing are in the formulation stage and are intended to include the majority of 
the technologies described above in Sections 4.3.2. 1 and 4. 3. 2.2. 
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5.5 Summary of NASA Contributions and Capabilities 

NASA has numerous past contributions and current capabilities that are relevant to Vehicle 
Health Assurance. Technologies targeting the health assurance of the vehicle include: 

• Significant technology development related to detection, diagnosis, and prognosis within 
the IVHM project, and material and sensory development within the Aging Aircraft 
project. 

• Significant development of subsystem technologies, with a framework available for an 
overall vehicle level system 

• Airframe technologies and capabilities: 
o Sensory materials 

o Healing materials 
o Diagnostic and prognostic algorithms 
o Airframe sensor systems 

• Avionics technologies and capabilities 
o Wiring diagnostics and modeling 

o Broad-based methods and algorithms 
o Testbeds for algorithm evaluation 

• Propulsion technologies and capabilities 
o Advanced Ni-base Superalloy disks 

o Composite Materials for Engine Fan Containment 
o Gas path health management 

o Harsh environment sensor technology/smart sensor systems 
o On-engine testing and characterization 
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6.0 Vehicle Health Assurance Concept 

6.1 Health Assurance System Scope and Overview 

In today’s environment, aircraft are assumed to perform reliably for extended periods between 
major inspections. Inspection intervals are based on set standards, not the condition of the 
individual vehicle. However, unique failures occur due to the service history of individual 
aircraft, or even potentially from aircraft-to-aircraft build variations. Moreover, these faults and 
failures are frequently not detected during inspections. Contributing factors include the 
following: 1) Inspections based on vehicle life assessments and engineering predictions 
determined at the beginning of aircraft service; 2) Faults and failures are detected utilizing 
external inspections, which are not always effective; 3) Use of on-board sensors is limited due to 
weight and harsh environment conditions; and 4) New technologies can create hazards not 
identified during development. 

The VS ST project, in recognizing the critical need to maintain a safe vehicle between major 
inspections, will develop and demonstrate new integrated health management and failure 
prevention technologies to assure the integrity of vehicle systems between major inspection 
intervals and maintain vehicle state awareness during flight. There are multiple approaches 
towards such an improved safety system. 

6.2 Aviation Community Health Assurance System Approaches 

Possible approaches to an Integrated Vehicle Health Assurance system, which includes 
Integrated Health Management, can be found in multiple documents. The Decadal Survey [189] 
states that: 

“Integrated vehicle health management (IVHM) refers to monitoring, assessing, and predicting 
the health of aircraft materials and structures using networks of sophisticated onboard sensors. A 
fully integrated approach to IVHM relies on a multidisciplinary set of analysis, testing, and 
inspection tools, including miniaturized sensors and distributed electronics; sophisticated signal 
processing; data acquisition, integration, and database maintenance; artificial intelligence; 
damage science; and the mechanics of structures and their failure... IVHM benefits all classes of 
aircraft, in all speed regimes and phases of flight.” 

The National Aeronautics Research and Development Plan states that Fundamental Safety 
Challenges to Overcome include [190, pg. 31]: 

• Predicting, monitoring, and assessing the health of aircraft, at the material, 
subsystem, and component level, more efficiently and effectively. 

• Applying novel sensing ... and estimation techniques to assist in stabilizing and 
maneuvering next-generation aircraft in response to safety issues ranging from ... 
on-board system failures, to unintended entry into unusual flight conditions and 
environmental hazards. 
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• Understanding and predicting system-wide safety concerns of ... the vehicles as 
envisioned by NextGen, including the emergent effects of increased use of 
automation to enhance system efficiency and performance beyond current, 
human-based systems, through health monitoring of system-wide functions that 
are integrated across distributed ground, air, and space systems. 

Goal 1 of this plan is to “Develop technologies to reduce accidents and incidents through 
enhanced vehicle design, structure, and subsystems”. It also states (pg. 32): 

“Aircraft-level health-management systems, including sensors and analytical tools, will be 
developed that can identify problems before accidents occur. Research in health management 
requires not only monitoring and detecting, but also confident prognostics of latent potential 
failures before they occur. While health management is informed by the known accident and 
incident records of other vehicles, it is not restricted to those known conditions. The 
development of health management systems requires a deeper understanding of aging and 
degradation mechanisms in airframe and aircraft systems.” 

Joint Planning and Development Office (JPDO) National Aviation Safety Strategic Plan 
( NASSP ) defines national goals, objectives, and strategies for aviation safety improvements. 
Vehicle health management systems also figure prominently within this National Aviation Safety 
Strategic Plan related to Goal 2: Safer Systems, Objective 2B - Provide safety enhancements for 
airborne systems [191, p. 6]: 

“Improve vehicle systems health management through advanced monitoring systems and 
decision aids. These systems can monitor various aspects of systems health, both during flight 
and through post-flight analysis, including vehicle structures, propulsion systems, control system 
elements, and avionics hardware and software. To provide pilots, dispatchers and maintenance 
personnel with ready access to system health information, advanced aircraft monitoring systems 
will be developed that integrate sensor information. Integration of advanced monitoring systems 
will increase operators’ timely and accurate understanding of system health, resulting in quicker 
identification of sub-system faults and failures and increased opportunity to successfully mitigate 
and prevent these failures. Enhanced decision aids will assist operators in preventing 
unacceptable safety risks from developing, enhancing operators’ recognition and incorporation 
of complex factors in situation assessment and mitigative decision-making. To ensure an 
efficient response, certain system failures will precipitate automatic transition to alternate 
operating parameters, with backup procedures in the event of anomalous conditions. Executing 
this strategy will help to reduce the number of hazards encountered, enhance the understanding 
of off-nominal conditions, and reduce the response time in making optimal decisions, ultimately 
improving operator awareness and mitigative response to airborne events and hazards.” 

These and other external inputs, as well as existing NASA capabilities, suggest potential NASA 
approaches and concepts towards Vehicle Health Assurance. NASA’s approach and Vehicle 
Health Assurance Concept will be discussed in the following sections. 
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6.3 NASA Recommendations 


These approaches may be summarized to have a number of common themes and technology 
directions. The NASA viewpoint on future technology development may be summarized as 
follows: 

• NASA does not build vehicle systems. NASA’s role in the Aviation Safety program is 
to do the research in order to provide a wide range of tools and approaches to enable 
those who do build, operate, and maintain aircraft to be able to achieve the next 
generation of vehicles with properties that enhance the nation’s and public’s safety. 

• These tools must be practical to allow fleet wide implementation and potentially 
enable other benefits such as decreased emissions, increased performance, and 
decreased operating costs. Major impact within the next 5 years is a primary goal, 
and this impact is maximized by establishing a foundation for paradigm shifts in 
aviation technology. 

• There is information available related to each vehicle now; there is often a challenge 
as what to do with that information. Further, if for no other reason than bandwidth 
restrictions, it is not feasible to continuously transmit all of the information to 
everyone who might need to know it. Systems that are more complex in their 
interface to the user and provide streams of unprocessed information will provide 
limited impact. 

• Introduction of new technology must be aimed towards increasing system capability 
and safety, while minimizing complexity for the user, especially in cases of 
retrofitting vehicles. 

• Local processing and hierarchal approaches are needed. In parallel to advances 
across the technology spectrum from the smart phone to automated parking, 
significant capabilities are achieved by highly complex intelligent systems with little 
impact on users. 

• The fundamental concept for IVHAS is that increased intelligence of the vehicle will 
enable improved safety. This increased intelligence is established from the bottom up 
with integrated smart sensors and materials coupled with diagnostics and 
prognostics operating locally, feeding into smart nodes and subsystems, and finally 
across the vehicle. Overall, the intelligent system is enabled by integrated, local 
smart detection, diagnostics, and prognostics. 

A safer vehicle is one that is constructed with materials that avoid safety issues, 
evaluates its own health and mitigates its own problems where appropriate, and 
provides information to flight and ground personnel in a simple, actionable way. Not all 
problems can be addressed given the resources of the MVS Technical Challenge. Rather, 
a range of tools will be targeted based on safety impact, and available NASA 
capabilities. 
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While not an exhaustive list, based on previous NASA analysis and the above technical 
assessments, some recommended technical themes/directions include: 

• Improve on-board sensor and detection systems for increased reliability and to provide 
better vehicle health information throughout continued use and system degradation, as 
well as during operation in unintended and unusual flight conditions and environmental 
hazards. This includes an emphasis on sensor technology that takes into account 
implementation issues. 

• Improve methods for diagnosing aircraft health at the material, component, and subsys- 
tem levels, in addition to developing a complete system level approach that continuously 
incorporates vehicle usage and sensor data throughout the lifetime of the vehicle. 

• Improve inspection and material design techniques that improve the capability to better 
understand the state of the vehicle both during major inspections, but also provide 
valuable information in between major inspections to identify potential safety issues. 

• Integrate on-board flight information with ground inspection data into a unified 
assessment of vehicle health state to enable improved decision making and actionable 
knowledge to decrease inappropriate crew responses, and target maintenance activities. 

• Identify the necessary technologies to ensure vehicle safety as the fleet ages and as new 
technologies are introduced into vehicle operation. 

• Provide key information enabling the crew to better respond to Loss of Control situations 
and avoid inappropriate responses. 

Thus, a primary objective of the Integrated Vehicle Health Assurance System Concept of 
Operations is to identify technologies to address the themes described above, as well methods to 
allow a pathway for their vehicle integration 

6.4 MVS Integrated Vehicle Health Assurance System (IVHAS) Approach 

Vehicle-related failures are often the first factor in the sequence of events leading to safety 
incident and accidents. Precursors to vehicle faults and failures are frequently found during 
periodic inspections; however, many areas are inaccessible even during major inspections. This 
is illustrated in Figure 6.1. Damage and faults found and repaired during inspections results in a 
safe vehicle, as shown in Case 1. However, damage precursors in areas that are difficult to 
inspect may be missed, but could lead to a failure between inspections as shown in Case 2. 
Finally, damage can occur after a major inspection yet result in catastrophic failure before the 
next inspection. 

The goal of MVS Technical Challenge is to maintain vehicle safety between these major 
inspections. The MVS Technical Challenge proposes a three-prong solution to maintain safety 
between inspections. First, technologies will be developed to enhance existing inspection 
methods to identify damage in areas that are difficult to access. Second, advanced materials and 
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coatings, will be developed to prevent damage initiation and growth. Finally, large area 
inspections, coupled with on-board health monitoring, will identify damage or faults that occurs 
after an inspection. By providing multiple opportunities to prevent or identify unsafe vehicle 
health states, current levels of safety can be maintained or exceeded even as air travel demand, 
vehicle complexity, and the use of new materials increases. The approach is to enable more 
efficient and effective understanding of the vehicle health by developing health-assurance tools, 
systems test methodologies, and life indicators targeted for improving the health assessment of a 
given subsystem, while keeping in mind that a vehicle is an integrated system with notable 
interplay between subsystems. Further description of the aspects of this approach is given below. 
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Figure 6.1. — An overview of the Maintaining Vehicle Safety between Inspections IVHAS Approach. 


6.5 MVS Concept for Integrated Vehicle Health Assurance System 
6.5.1 Vehicle-Level Concept 

To achieve the MVS goal to maintain vehicle safety between these major inspections, the MVS 
Technical Challenge is decomposed into three elements as shown in Figure 6.2. The Materials 
and Coatings (MAC) element provides the first line of defense by preventing damage initiation 
and progression to airframe and engine structures through the development of self-healing, self- 
sensing materials that can prevent or arrest damage progression, and through protective coatings 
to prevent oxidation and corrosion of advanced engine Ni-base superalloy disks. The Sensors and 
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Diagnostic Tools (SDT) element provides the second line of defense by avoiding and mitigating 
aircraft faults and failures by providing improved inspection methods, coupled with on-board 
monitoring, to ensure safe vehicle operation between major inspections for the airframe and 
avionics subsystems. Like SDT, the High Temperature Propulsion Health element avoids and 
mitigates engine faults and failures, but is unique in that the survivability of the sensors in 
extreme temperature and vibration environments becomes a significant challenge. 


Materials and Coatings: 
Airframe /engine materials 
and coatings thatdetect 
damage and minimize 
premature failures 

Goal: Provide vehicle level 


Reducing Aircraft-Related Accidents 



Dynamic Assessment of 
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health assessments 


diagnostics framework for 
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identify vehicle systems 
failures and malfunctions 


High Temperature Propulsion Health: High 
temperature engine sensorand diagnostic 
systems for reliable health monitoring 


1 in 4 fatal accidents caused by 
vehicle systemsfailures and 
malfunctions* 


*“An Examination of Aviation Accidents and Incidents During the Years 1989-2008 Associated with Technical Challenges within VSST” Joni K. Evans, 201 1, p. 20. 


Figure 6.2. — The MVS Development Approach (FY12-FY16). 


During FY12 to FY16, MVS tasks and activities will focus on integrated health assurance and 
failure prevention technologies. Given this scope, the subproject’s research products are to 
develop, evaluate and demonstrate: 

• Innovative sensors and diagnostic tools to provide information to anticipate and prevent 
potential critical failures. 

• High temperature engine sensor systems that directly monitor compressors and turbines 
for reliable engine health monitoring; 

• Airframe and engine materials and coatings that detect damage and minimize premature 
failures from fatigue, fracture, delamination, and corrosion 

A fundamental concentration of this MVS project is to take a whole-vehicle approach with 
emphasis on integrating ground information and history with in-flight detection, diagnosis, and 
prognosis. The approach is that each vehicle has an individual history (“fingerprint”) which 
spans influences from the basic properties of the materials and components to the vehicle’s 
previous flight history and maintenance records. In order to understand the health state of the 
vehicle at any given time, it is necessary to take into account not only its present state, but the 
vehicle’s unique fingerprint and history as well. The MVS health state information is 
fundamental to a whole-vehicle approach that addresses the conditions of a vehicle not only over 
a single flight, but also realizes that a single flight is a brief snapshot of the vehicle history. This 
health state information acquired in-flight over multiple flights contributes towards an 
understanding of the vehicle fingerprint and evolving vehicle state over time thus directly 
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contributing to the prediction of the remaining useful life of the vehicle. The MVS approach can 
identify evolving problems in-flight and coupled with ground-based sustainment activities 
between major inspections, can reduce vehicle maintenance costs and increase availability. (This 
is in context that any vehicle is part of a fleet of vehicles that also have an individual history; 
however, fleet wide issues are addressed by SSAT). 

The overall MVS framework is shown in Figure 6.3 highlighting the areas of MVS subsystem 
development over the next five years. The three components of MVS affect the operation of the 
major subsystems of the vehicle. The Materials and Coatings element affects the airframe and 
propulsion subsystem with, for example, Integrated Sensing and Healing Systems, Bonded Joints 
and Repairs, and Engine Emerging Discs and Composite Materials Health. Sensor and 
Diagnostic Tools affect the airframe, avionics, and propulsion systems with, for example, Digital 
Assessment of Aircraft Structural Health, Propulsion System Diagnostics, and Wiring Fault 
diagnostics. High temperature engine sensor systems provide a range of harsh environment 
sensor and sensor system technologies for improved monitoring of the engine with, for example, 
High Temperature Smart Sensor systems. Each of the mappings, such as Materials and Coatings 
to Airframe and Propulsion, is shown in Figure 6.3. The specific technologies chosen for 
development are chosen based on the safety analysis, the state-of-the-art, NASA capabilities and 
potential impact, and budget considerations. Further details on the specific research involved are 
provided elsewhere in Section 6.0. 

The results of these technology advancements are intended to provide health state data and allow 
vehicle level diagnostics. The emphasis of the MVS activities in the next 5 years is on the 
subsystem level and not on vehicle level diagnostics. However, the MVS development proceeds 
with the understanding that subsystem technologies will feed into a vehicle level system. This 
vehicle level system has not been determined, but, without endorsing any particular technology, 
the basic approach in the NASA sponsored activities described in Figure 5.1 can be considered 
as a framework. Having such a framework in mind guides the subsystem development in the next 
5 years. 
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Figure 6.3. — The MVS Integrated Vehicle Health Assurance System framework 
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The MVS project tools and systems provide information related to the vehicle health state to 
mitigate and manage the state of degradation of aircraft systems while in-flight and on the 
ground between major inspections. MVS contributes to an Integrated Vehicle Health Assurance 
system by providing situational awareness of the vehicle state and condition with combined in- 
flight and ground information. This allows appropriate mitigation responses to adverse events 
based on a proper understanding of that particular vehicle system’s state in time, rather than 
attempting to respond to an unknown vehicle condition and perhaps worsen the situation with an 
inappropriate response. The situational awareness provided by MVS also directly affects 
response to the ability to enable Crew Decision-Making and Response in Complex Situations 
(CDM), and Assure Safe and Effective Aircraft Control under Hazardous Conditions (ASC). In 
other words, in order to make proper decisions in real-time to mitigate a problem, one has to 
understand the problem; MVS provides information to enable improved decisions. 

Further, the effects of MVS are not only for this generation of aircraft systems, but the next 
generation as well. Next generation vehicle systems will involve new material and technical 
approaches to enable advanced capabilities. In order for these systems to reach their full 
potential, the vehicle as a whole needs to include a more intelligent and self-sustaining correcting 
design concept. Core to an intelligent vehicle is the ability to self-diagnose and self-prognose; 
the foundation for such capabilities will be developed, matured, and as appropriate, validated as 
part of the MVS project in specific technology areas. 

The MVS Technical Challenge will develop, mature, and validate technologies to detect, 
diagnose, and prognose the health state of the vehicle while in-flight and on the ground. This is 
accomplished by sensor systems coupled with algorithms that measure vehicle parameters at the 
material, component, and subsystem level and analyze those parameters and past history to 
determine the present health state of the vehicle and predict future conditions. The health- 
assurance tools developed in this project will target subsystems including airframe, propulsion 
and avionics, but also other subsystems as appropriate and as resources allow. 

The foundation for the overall VS ST Health Assurance concept of operations is the combination 
of an online system for storing in-flight sensor readings with processing to identify rapidly 
failing safety critical systems, and an offline historical vehicle database that stores the recorded 
data regarding a particular aircraft. Added to this is the concept of design enhancements for 
overall vehicle safety, and that on-board monitoring safety information should be fed to 
functions such as ASC and CDM, as well as into Inspection Functions and Maintenance Repair 
and Overhaul Advisories. Fundamentally, this approach addresses the “stove piping” often 
present in the conventional state-of-the-art (SOA) with a unified strategy combining flight 
systems, ground maintenance, and design approaches. An overall summary of this approach is 
shown in Figure 6.4. 
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Figure 6.4. — The Concept of MVS Integrated Vehicle Health Assurance, 
enhancements, improved materials, improved inspection, and onboard 


including the integration of design 
monitoring. 


The primary purpose of the online system is to collect, locally process, temporarily store, and 
later transmit flight and environment data to the offline database while at the gate or end of day. 
A second purpose is to monitor and identify the rapid (milliseconds - minutes) degradation and 
failure of safety critical subsystems that need immediate attention either by the pilot or 
automation system. The first goal of any vehicle health assurance system is to identify potential 
failures long before flight safety becomes an immediate concern to the pilot. 

The offline historical vehicle database is a fundamental aspect of the overall system. It includes 
all recorded environmental and flight data (e.g., flight ops/quality assurance data), sensor 
measurements collected from the aircraft’s airframe, propulsion, and avionics subsystems, 
maintenance records, data sets from ground based inspection, service difficulty reports, and 
incident and accident reports. Together this set of information forms a digital fingerprint for each 
aircraft, and enables the identification of custom maintenance actions and/or interventions unique 
to the history of the individual vehicle. 
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Fleet managers need overall system health information including remaining useful life before major overhaul, and 
optimal location to schedule repairs. 


■ Maintainers need state of health information, identification and location of needed repairs, and usage and repair 
history. 


■ Pilots need information and alerting of upcoming safety critical failures and how best to respond. 


■ Automation Systems need information for fast engagement to mitigate safety critical failures when the time to 
failure horizon is so short that human intervention is not possible. 


Figure 6.5. — The notional relationship between failure time-scale and the need of various user groups. 


The vast collection of data stored in each vehicle database can then be accessed and processed in 
a great variety of ways, using different applications custom designed to meet the needs of the 
individual users involved with the day-to-day vehicle operations. There are four major user 
groups, each with different information requirements: fleet managers, maintenance technicians, 
pilots, and in-flight automation systems. The health information needs of each group largely 
depend on the amount of time between the identification of a precursor to failure, and when the 
actual failure occurs. While in some cases this amount of time can be difficult to accurately 
predict, what really matters is the time scale. In Figure 6.5, an example of the notional 
relationship between failure time-scale and the various user groups is illustrated (although the 
timescales and users may vary given the circumstances). 

Finally, the importance of separating the storage and processing of the data cannot be overstated. 
This is because, when feasible, the collected data should be stored to minimize the loss of any 
information that future improvements to data processing ability may leverage to better assess the 
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health of the vehicle. Also, errors in processing algorithms can always be corrected without 
affecting the historical vehicle record. 

Relevant health related information for each aircraft can be stored, processed, and managed 
through a networked database or cloud that users can access from anywhere (e.g., using mobile 
devices). In particular, sensor data can be wirelessly downloaded when the aircraft lands. This is 
an important consideration since onboard in-flight computing power is extremely costly to 
develop, certify, and update. Two brief examples include: 

• The flight automation system (through CDM) might interface to the on-board monitoring 
system and feed information to the flight controls to prevent the aircraft from getting into 
an upset condition. More specifically, if an impending structural failure is detected the 
automation system can help the pilot guide the aircraft to the ground while minimizing 
stress to the weakened components. 

• A maintenance application might monitor the recorded electrical power delivered to 
safety critical avionics systems and generate a specific maintenance action when a 
significant change to nominal levels occurs. In addition, the long-term historical data can 
be processed in order to spot trending degradation and the information then provided to a 
fleet manager. 

Data handling will be a major component of any future IVHAS. Maintaining data integrity will 
be of particular importance. This is followed by the desire to use the data appropriately, 
including data mining to determine its significance and potentially provide feedback to the 
system or maintenance actions. Finally, there needs to be an ability to “referee” proper use of the 
data. 

In the hierarchal approach, data processing and analysis will be performed not just in a central 
location, but at various levels throughout the system. A smart sensor will determine its own 
health and flag that information as a standard part of the data stream. A local node can take that 
into account when comparing various sensors in a voting scheme before feeding that information 
to the subsystem and/or Vehicle Level Reasoner. Finally, local information can be stored and 
downloaded as needed. The fundamental approach is to move from centralized processing and 
storage that is overwhelmed with information, to local processing and awareness integrated 
throughout the system. The three high-level examples below in Section 7.0 go into more detail 
how various users might interface with the onboard health monitoring system and historical 
vehicle database. 

6.5.2 Airframe Subsystem Health Assurance Concept 

The cornerstone of the airframe health assurance concept is the Dynamic Assessment of Aircraft 
Structural Health methodology (DAASH). The long term (10 year+) vision for DAASH is an 
integrated system that will provide information about actual flight loads and damage not 
detectable by visual inspection such as multiple damage sites below BVID, or unknown 
manufacturing defects that might otherwise go undetected and affect the vehicle’s structural 
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integrity. Currently no comprehensive system for structural health monitoring (SHM) of 
commercial aircraft exists. Most SHM systems in use today focus on areas of known concern, 
such as monitoring landing gear loads or areas of high stress concentrations. In future aircraft, an 
onboard SHM system would be capable of real time detection of events that may result in 
damage and low spatial resolution of the location of damage through changes in the response of 
the structure. This damage may be due to an impact event, manufacturing or maintenance defects 
or general degradation of the material system due to aging. During a flight, depending on the 
level and location of the event detected, the SHM system may initiate maintenance actions after 
the flight, or in the case of significant damage communicate an estimate of the health state to 
other onboard systems to limit the operational envelope of the aircraft until it is safely on the 
ground. Additionally, the SHM indication would trigger the post-flight application of advanced, 
high-resolution NDE and guide the inspection personnel to the general location of the damage so 
that a quantitative assessment of the extent and nature of the damage could be performed. 

The same SHM system would also provide structural load information to create a record of 
airframe load history, or as input into control software to prevent excessive operational loads in 
adverse flight conditions. A record of both vehicle loads and structural health between major 
inspections would be maintained for the life of the vehicle and could ultimately be used as input 
to a condition based maintenance program. The onboard monitoring system would remain active 
during ground operations and provide indications of accidental damage to the vehicle. (For 
example, a ground vehicle such as a catering truck contacting the aircraft at low speed slowly 
deforms the aircraft skin over a reasonably large area. The onboard monitoring system would 
record this event and signal a maintenance inspection before the aircraft would be cleared to fly.) 
The system would characterize the event and trigger a series of diagnostic and prognostic actions 
to ensure the vehicle’s health, much like the “check engine” light in an automobile triggers 
additional diagnosis and maintenance to correct the problem. Progressive damage analysis will 
be used to establish allowable damage limits and critical damage size to define the requirements 
for the SHM and NDE systems. The coupling of SHM and NDE systems with structural analysis 
will improve the ability to detect and characterize damage and to assess structural health. 

The envisioned comprehensive structural health monitoring system will improve the reliability 
and safety of future aircraft systems by addressing several limitations in the current approach. An 
autonomous health assessment system will provide high frequency monitoring and inspection for 
damage, rather than rely on crew observations or scheduled inspections for damage detection. 
The system will detect hidden damage from unknown sources and not rely upon visible 
evidence, which is especially powerful in locations that are difficult to inspect. Integration of 
SHM, NDE, and residual strength analysis technologies connects execution steps that are now 
discrete, and thus reduces opportunity for human errors in execution or judgment. Also, an 
integrated system approach will guide and enable development to achieve system reliability and 
safety objectives, which is the ultimate goal. 

While there are a multitude of threats to aircraft structural integrity, many of these threats will 
produce obvious indications that immediate action is required (i.e., damage from uncontained 
engine failure). However, some threats (such as the result of a low speed collision between the 
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airframe and a service vehicle or a manufacturing defect) do not result in obvious indications of 
damage, yet may compromise either the structural integrity or the fail-safe capability of the 
structure. The DAASH element will develop a methodology of assessing the integrity of a 
composite test article in the event of a single threat that produces no obvious, visual indication of 
damage. One scenario that is being considered is a partially delaminated stringer. This type of 
damage could occur as the result of either a manufacturing defect or a large area, blunt body 
impact. 

A demonstration will be used to show how an onboard SHM system, ground based inspection 
methods of different resolutions (large area rapid low-resolution inspection, localized high- 
resolution), and progressive damage analysis methodologies can be effectively coupled to 
characterize the structural integrity of the test article under representative loading conditions. As 
damage is introduced into the test article, the structural health will be assessed by the integrated 
system developed. This system could also allow for monitoring of the loads that a panel would 
experience in order to more accurately characterize the loading conditions. Previous research has 
focused on independently advancing the SOA in the damage characterization (SHM and NDE) 
and progressive damage analysis elements, while little work was devoted to integration of these 
elements into a comprehensive structural health assessment system. Therefore, it is anticipated 
that although some resources will be applied to advancing the SOA of the individual 
technologies a majority of the resources will be applied to the integration of these technologies. 

The SHM concept is predicated on the detection of damage and quantification of the damage 
state. To further address the state of the airframe two advanced material concepts are being 
studied. Self-healing and self-sensing materials are being developed to prevent damage from 
initiating or propagating and to improve damage detection by developing materials that facilitate 
damage detection using existing sensor technology. The self-healing material concepts that are 
being addressed specifically mitigate damage from propagating in polymer matrix composites 
after impact and fatigue crack growth in metallic materials, which are two of the most likely 
damage scenarios for airframe materials. The detection of damage in structural materials is 
inherently difficult as the critical size of damage can be quite small and present within very 
complex geometries. Consequently, it is desirable to design materials that augment the 
capabilities of existing sensors. Materials that emit an audible signal when damaged, which can 
be monitored by passive on-board sensors, are being developed. Additionally, these materials 
have demonstrated improved signal detection of damage when using ground-based inspection 
techniques. These self-sensing materials are being studied to augment the SHM concepts being 
developed within the DASSH portion of the project. 

As indicated in the above description, the proposed methodology for assessing aircraft structural 
health uses a layered approach for damage detection. In addition to an on-board system for 
course indications and localization of damage, the DAASH element includes demonstration of 
rapid large-area ground inspection technology. The ground-based system would provide more 
detailed assessment of airframe health in response to a reported ground or in-flight event prior to 
the next flight, or provide a supplemental capability to an on board SHM system to daily ‘scan’ 
the structure for the development of damage from any unknown cause (i.e., inappropriate 
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maintenance action or repair, manufacturing defect, or high stress location). The current health 
assessment would then guide contingency actions in flight or further diagnostic or repair actions 
if needed. A notional block diagram of one embodiment of this response is shown in Figure 6.6. 



Figure 6.6. — Notional block diagram showing one way the Dynamic Assessment of Aircraft Structural Health 
(DAASH) technologies might integrate into an overall vehicle health system. 


As indicated in the above description, the proposed methodology for assessing aircraft structural 
health uses a layered approach for damage detection. In addition to an on-board system for 
course indications and localization of damage, the DAASH element includes demonstration of 
rapid large-area ground inspection technology. The ground-based system would provide more 
detailed assessment of airframe health in response to a reported ground or in-flight event prior to 
the next flight, or provide a supplemental capability to an on board SHM system to daily ‘scan’ 
the structure for the development of damage from any unknown cause (i.e., inappropriate 
maintenance action or repair, manufacturing defect, or high stress location). The current health 
assessment would then guide contingency actions in flight or further diagnostic or repair actions 
if needed. A notional block diagram of one embodiment of this response is shown in Figure 6.6. 

The individual components in Figure 6.6 represent technologies and methodologies that will be 
integrated as part of the Airframe Health Assurance element and will be integrated together in 
the final technology demonstration on a laboratory-scale test article. 
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Impacts of the Airframe Health Assurance Approach include: 

• On-board SHM — Demonstration of how SHM can be used for impact detection, load 
monitoring, or damage localization. 

• Large Area Ground Inspection — Demonstration of how rapid, large area ground-based 
NDE inspection could be used to enhance safety between inspections with little or no 
downtime to the aircraft unless damage is found. This could be used in place of an SHM 
system in legacy aircraft, or to complement the SHM system. 

• High Resolution Localized NDE — Demonstration of how high-resolution NDE can 
provide detailed, quantitative information regarding physical characteristics of the 
damage. 

• Damage Quantification — Demonstration of how model driven, combined NDE, SHM data 
and/or inverse FEM methods can be used to quantify damage size, type, and location. 

• Residual Strength — Demonstration of the prediction of damage progression, residual 
strength and critical damage size. 

• Load Limits — Demonstration of how load information could be provided as input to 
determine if updated load limits are required based on reduction in residual strength 
and/or an accumulation of damage for continued operation of aircraft until it is safely 
returned to the ground. 

• Durable Materials — Demonstration of self-healing materials capable of mitigating 
representative damage for replacement on existing aircraft structure or for integration in 
the manufacture of new vehicles. 


6.5.3 Avionics Subsystem Health Assurance Concept 

Any overall avionics health assurance concept of operations must be general enough to 
incorporate information from a diverse array of electronic sources, and the historical vehicle 
health database provides the backbone for this functionality. This is because each individual 
subsystem can store its own electronically measured health information offline, without 
necessarily needing to interact with any other subsystem. Applications can then process the data 
for either the individual system, or across multiple subsystems, to provide diagnostics and 
prognostics capability. The only data processing required on-board would be to detect rapid 
damage progression leading to an imminent failure that demands the immediate attention of the 
pilot or automation system. 
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6.5.3. 1 Electrical Wiring and Interconnect System Health Assurance System Concept 

From a bird’s eye view, the hardware technology required to setup health management for the 
wiring and interconnect system is available now. It is the same technology summarized in 
Section 5.3. However, new or modified design concepts are required to unify these technologies 
from the ground up, especially for systems to benefit from chafing fault detection. 

An initial concept only requires the integration of sensors to measure and store signal integrity 
and power consumption information both during flight, and while the aircraft is on the ground. 
These sensors would need to be incorporated into the power distribution and interconnection of 
critical avionics systems. The information collected by the sensors could then be transmitted to 
the vehicle historical database in between flights for on-the-ground processing and analysis to 
determine if maintenance actions are required. This approach minimizes the need for additional 
in-flight computing power, and should be completely separate from the hardware and software 
required during flight. In other words, during flight the EWIS health management system need 
only passively record data. Furthermore, the electrical system can be electronically inspected for 
chafing through the use of a built in system that functions while the aircraft is in a quiescent state 
on the ground. While this on-board system would enable a fast inspection of the typically 
inaccessible wiring, it would not be considered an in-flight system. 

To a certain extent, industry already appears to be moving in this direction. For example, 
Gulfstream and Boeing are already reporting the use of solid-state power distribution systems 
capable of load monitoring for health management [61, 62], From a hardware standpoint it seems 
a relatively straightforward process to integrate the additional sensing electronics required for 
intermittent connection detection, (which requires monitoring in a vibrating operational 
environment), and chafing fault detection (which is probably best performed while the aircraft is 
in a quiescent state). What’s needed is the integrated system for collecting the data, along with 
health management modeling and diagnostics/prognostics algorithms. To a large extent, the tight 
coupling between data collection and software processing is a major bottleneck to the 
advancement of integrated health management. This is because the health management models 
and algorithms driving the data collection requirements are still under investigation within the 
research community. 

6.5.3.2 Other Avionics Health Assurance Systems Concepts 

Health assurance for safety critical avionics boxes, electromechanical actuators, and batteries has 
the potential to span the timescales of all user groups presented in Figure 6.5. Health 
management algorithms with prognostic horizons longer than a few flights can be used by 
maintainers to perform condition-based maintenance and by fleet managers to position assets 
more effectively, taking into account that some assets will be unavailable because of upcoming 
maintenance. At the other end of the timescale, diagnostic algorithms or prognostic algorithms 
with short horizons can inform pilots and automation systems. For example, if an actuator jam is 
detected, a low-level automated control reallocation may be required to maintain aircraft 
stability. 
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Research in health assurance for actuators, batteries, and avionics boxes is still establishing the 
types of sensors and processing requirements needed to perform robust health management. In 
some cases, accurate, high-confidence diagnostics and prognostics may require additional 
instrumentation that is not typically found in fielded systems. For example, installing 
accelerometers on electromechanical actuators can lead to more accurate fault diagnosis and 
prediction of remaining useful life. However, installation of sensors that are not required for 
subsystem control is undesirable from an aircraft integrator perspective because sensors require 
power, calibration, interpretation, servicing computer memory and processing time, wiring, 
weight, and volume [192], Similarly, high data sample rates and intensive processing power 
required by some algorithms pose challenges to on-board implementation. 

An initial concept for health management of these avionics system involves three aspects. First, 
additional instrumentation and data storage capabilities should be deployed in a research context 
to establish the signatures of faults and precursors of failures. Such data would be downloaded 
and analyzed off-line to evaluate the potential of various feature extraction approaches and 
health management algorithms. Second, correlations between research instrumentation and 
typical fielded instrumentation in regards to health management capability should be assessed. 
The ultimate goal is to find sensing and analysis approaches that use available instrumentation 
and processing to the extent possible while still providing sufficient health management 
capabilities. Improvements in sensing and processing capabilities will continue to expand the 
possibilities in this regard. Third, an approach to store short bursts of higher rate data on-board 
for off-board processing would address the difficult problem of no-fault found, where on-board 
summary fault indications cannot be replicated in a quiescent test environment. In this scenario, a 
circular buffer of high rate data that is normally overwritten would be preserved when a trigger 
condition is met. It is important to record environmental parameters to understand the conditions 
under which the equipment was operating when the fault occurred. This approach is already 
being pursued by General Electric [193]. As noted in the previous section, arriving at the proper 
sensing, data collection and software processing requirements is necessary to advance integrated 
health management. The concepts outlined above should help to address this need. 
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Impacts of EWIS Health Assurance Approach include: 

• Industry could focus on in-flight sensing and data collection, transmitted for database 
storage and processing on the ground. Geared towards detecting intermittent connection 
problems that require measurements in an operational vibrating environment. 

o In particular, new avionics boxes should actively communicate connection status to 
power distribution centers in-flight. This approach might work well with the solid- 
state power distribution methods currently going into practice. 

• Chafing fault detection on critical signal and power wires only, can be used to 
electronically ensure cable integrity and prevent incipient problems. 

o Implementing this step may require additional wiring requirements (shielded, 
impedance controlled, etc.) for the target critical systems, but would also help ensure 
safety and enable faster, more targeted condition based wiring maintenance. It would 
enable one to verify before each flight that the most critical wires on the aircraft are 
intact and ready. 

o Watch points can be established and monitored for increasing likelihood of a small 
chafe, and later growing size of the chafe. Fleet managers may be able to determine 
when to make bulk repairs. 


6.5.4 Propulsion Subsystem Health Assurance Concept 

The harsh environment conditions within an engine often present significant challenges for the 
integration and application of health management systems. In parallel, diagnostic systems often 
have to perform evaluations with limited sensor information, while evaluating a complex system 
whose components include gas path, turbomachinery, hydraulics, and other components. The 
approach to Propulsion Health Assurance consists of a combination of activities in Engine 
Emerging Discs and Composite Materials Health, Propulsion Systems Diagnostics, and Smart 
High Temperature Sensor Systems to be described below. Propulsion Systems Diagnostics 
provides methods for the real-time assessment of the overall health of the engine. This includes 
assessing engine aero-thermodynamic performance, and the health of turbomachinery blades and 
vanes, control sensors, and control actuators. Smart High Temperature Sensor Systems include 
sensors and sensor systems, which allow the measurement of engine parameters in harsh 
conditions allowing for improved understanding of the engine state. Both tasks feed into 
continued Vehicle Integrate Propulsion Research (VIPR) testing. These activities provide 
information related to gas path and rotordynamic areas identified as associated with safety risks: 
engine compressors, turbines, gas path, bearing/seals, and overall engine health. These are 
intended to diagnose and monitor engine systems and mitigate potential issues through existing 
and new easily integrated, small, low weight sensors avoiding costly retrofits while maintaining 
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safety. This basic approach is shown in Figure 6.7, which illustrates the combination of increased 
sensor coverage and improved sensor diagnostics to improve understanding of the engine health 
state. 



Figure 6.7. — Notional block diagram of Propulsion Health Monitoring Assurance Concept. 
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6.5.4. 1 Engine Emerging Discs and Composite Materials Health 

Current and emerging commercial aircraft are utilizing advanced materials in propulsion 
components including advanced Ni-base superalloys for turbine disks and polymer matrix 
composites for engine structures. This Task addresses potential safety issues for recently 
implemented technologies as well as robust design for future emerging technologies. Accurate 
life prediction, taking into account materials, component design, manufacture, flaw detection, 
and service conditions, is a goal. A turbine disk failure usually results in a loss of engine, 
considerable airframe damage, and the possibility of loss of the aircraft. A detailed 
characterization and modeling of the near surface layer after current and advanced surface 
processing, including application of coatings, is needed for more accurate life prediction. 
Linkage of life prediction and microstructure prediction models will be performed to discern 
what features in the microstructure and surface conditions govern and limit fatigue life for the 
relevant service conditions. Composite materials are beginning to be used for fan cases and other 
engine primary structure. There is little service experience with composite components, and 
failure mechanisms are not well understood. Technologies will be developed to provide a more 
robust assessment of safety for these composite engine structures, for both current and future 
applications. Potential effects of material aging in simulated engine environments and impact 
damage from various sources (bird strike, hail, FOD) in order to assess safety over the full life 
cycle of an engine will be investigated. 

6.5.4.2 Propulsion System Diagnostics 

Propulsion Systems Diagnostics are provided for the assessment of overall engine health. This 
includes enhanced gas path and rotating structural health diagnostic capabilities. Propulsion Gas 
Path Diagnostics is performed by relating observed changes in sensed engine parameters to 
internal performance-related changes within the gas turbine engine cycle. Monitoring and 
processing engine sensed measurements enables the detection and isolation of problems, 
ultimately enabling corrective action to be taken. Rotating structural health diagnostics is 
performed by applying and analyzing the measurements collected from advanced sensors 
installed for monitoring the dynamic response of the engine structure. This includes blade tip 
clearance, tip timing and tip clearance measurements as well as advanced accelerometer 
measurements. 

This work directly addresses limitations in propulsion diagnostics capabilities. Today, propulsion 
gas path health management (GPHM) functionality resides both onboard and off-board the 
aircraft and is primarily conducted relying on the sensors installed for engine control purposes. 
Onboard GPHM functionality applies relatively simple range and rate-of-change checks to 
diagnose engine fault conditions. Off-board, or ground-based, GPHM processes a limited 
number of “snap-shot” measurements collected at fixed operating points from each engine each 
flight to trend engine performance deterioration and to diagnose gas path system faults. 
However, this off-board processing often does not happen until several days after the flight has 
occurred causing significant diagnostic latency. Additionally, any resulting engine performance 
deterioration estimates are only available off-board. They are not available for on-board controls 
and health management applications, and thus are not utilized to their full potential. In addition, 
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very little instrumentation exists for the in-situ structural health monitoring of engine 
components. Most of the structural monitoring is done by secondary instrumentation such as low 
frequency accelerometers to monitor vibrations and other sensors that are used by the control 
system. Actual, detailed, structural health monitoring is done offline by physical inspections of 
the engine components on a periodic basis defined by a maintenance schedule. Correspondingly, 
there are a range of in-flight engine propulsion system malfunctions that can occur. Examples 
include turbomachinery damage, control sensor and actuator faults, and turbomachinery 
deterioration induced by environmental effects such as volcanic ash and ice ingestion. 

The approach in propulsion diagnostics is to address the imperative need for aircraft operators 
and maintenance personnel to have accurate information regarding the health state of the engine 
gas path system in order to make appropriate maintenance and inspection decisions. 
Additionally, propulsion health state awareness can assist the flight crew in recognizing and 
responding to engine malfunctions. In the past, propulsion system malfunctions combined with 
inappropriate crew responses has contributed to a number of Loss of Control (LOC) accidents, 
rejected takeoffs, and crew errors such as shutting down the wrong engine. Engine gas path 
diagnostic strategies are needed that can enable continuous real-time monitoring of engine 
health; estimation of unmeasured engine performance parameters for diagnostics, prognostics, 
and controls applications; and overall improved propulsion health state awareness to support 
crew system decisions and LOC prevention/mitigation strategies. This work will develop and 
mature on-board model-based aircraft engine estimation and diagnostic technology. 

6.5.4.3 Smart High Temperature Sensor Systems 

A critical first step in any health management process is the acquisition of physical system 
measurements via sensors. State-awareness is the foundation of diagnostics and decision-making, 
and present aircraft propulsion systems have limited self-awareness due to the harsh environment 
operational condition. Given the range of relevant engine component parts whose failure can 
have a notable impact, there are a range of parameters that are of interest to measure in an 
operating engine. Presently very few of these parameters are measured and often with systems 
whose implementation is restricted by the harsh environment conditions, implementation on 
rotating components, or both. Sensor reliability is a significant issue with wiring being a 
dominant cause of sensor failure, leading to limitations in the implementation of sensor 
technology. 

The development of Smart High Temperature Sensor Systems focuses on the design and 
fabrication of sensors that can withstand the extreme temperature environment of engine gas path 
and rotordynamic components including compressors and turbines. The engine is a complex 
system with a range of operating components whose failure can affect passenger safety. This 
work will produce a multiparameter array of harsh environment compatible sensors able to 
monitor a targeted range of relevant static and rotating components that presently are not reliably 
monitored or cannot be monitored during flight. The approach is to integrate these sensors and 
sensor systems into a multiparameter detection suite whose combined information provides 
engine characterization significantly enhanced compared to that provide by a single, or single 
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type of, engine sensor. Included is development of high temperature electronics, communication, 
and power to enable a smart sensor system moving toward the “Lick and Stick” concept 
described in Section 5.4. 2. 3. 6. This work concentrates on the development of sensor technology 
to enable their maturity as engine diagnostic tools as well as improved sensor reliability and 
capability for viable engine implementation. This work will focus sensor development on 
different aspects of engine operation. It is not possible within this task to provide technology to 
characterize the entire engine; rather as described in Section 6. 6.4.2 specific engine properties 
are targeted with relevance to safety issues, applicability to engine diagnostics, lack of existing 
flight measurement capability, and potential for vehicle integration. 

6.S.4.4 Information Fusion for Propulsion Health Management Systems 

Current aircraft gas turbine engine health management systems are comprised of a diverse 
assortment of diagnostic modules designed to assess the health of individual engine subsystems 
such as gas path system performance, structural health, and lubrication system health. 
Continuing advancements, as previously described, in sensing technology are providing the 
potential for additional engine health state information such as turbomachinery clearances, 
combustion chemical emission content, high frequency vibration measurements, and gas path 
debris indications. Currently, there is no well-established means for combining this information 
to produce an overall system-level assessment of an engine’s health. 

An information fusion capability as a means for combining health information from multiple 
engine subsystems, available in different formats, and updated at different frequencies will be 
developed. The information fusion architecture will be modular in design, permitting additional 
diagnostic subsystems to be added as they become available. In particular, approaches for 
combining gas path performance, turbomachinery clearance, and chemical emission information 
will be studied in the near term. This will provide a baseline tool to allow integration of 
information on the propulsion subsystem that will then feed towards a larger vehicle health 
management system providing in-flight information on vehicle health in an easy-to-use format. 
The approach is to provide information fusion of the wide range of input parameters specific to 
propulsion systems. 
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Impacts of the Propulsion Health Assurance Approach include: 

• Advanced powder metallurgy (PM) disk life prediction algorithm taking into account 
effects of production and service conditions. 

• Environmental protective coating for advanced PM superalloy disks providing new 
capabilities to minimize premature fatigue failures from corrosion and oxidation 

• New inspection methods, standardized analysis methods, and identification of potential 
composite material /structure failure modes in service providing the tools needed for 
airworthiness assessment and failure mitigation 

• Focus on technologies for the reduction of safety-significant propulsion malfunctions that 
have contributed to past propulsion system malfunction plus inappropriate crew response 
accidents, such as asymmetric thrust, rejected takeoffs, and in-flight engine shutdowns. 

• On-board model-based gas path diagnostic architecture combined with an adaptive self 
tuning engine model providing in-flight capabilities to diagnose engine health state and 
prevent in-flight propulsion malfunctions. 

• Provide diagnostic benchmarking problems and metrics leading the engine community in 
standard approaches and practices. 

• Multiparameter harsh environment engine sensor suite for comprehensive detection of 
compressor, turbine, and rotor failure precursors. 

• High temperature Smart Sensor Systems with in-situ processing and communication 
capabilities leading to new measurements and more reliable sensor data. 

• Evaluation of data from multiparameter engine sensor systems in both simulated and real 
fault conditions. 

• Information fusion approaches to combine a range of propulsion system information. 


6.6 MVS Concept Development and Implementation Plan 

The MVS Technical Challenge has several major milestones representing progress toward 
achieving the goals identified above. The overall approach will be developed in FY12, with this 
Concept of Operations document outlining a detailed plan for developing an integrated vehicle 
health approach and demonstrating the survivability of engine sensors in extreme environments. 
In FY13, the focus is on diagnostic methods for identification of both airframe damage and off- 
nominal engine operation. FY14 further advances the SOA by predicting damage progression 
and improved methods for repairs to prevent damage progression. The effectiveness of these 
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methods will be integrated, demonstrated, and evaluated at the subsystem level in FY14, 
culminating in integrated demonstrations in FY15. These milestones address the major vehicle- 
related factors that directly or indirectly cause fatal accidents and provide multiple layers of 
safety, from prevention through mitigation. Collectively, this will result in an effective approach 
for maintaining or improving vehicle safety between major inspections. 

6.6.1 Vehicle System Development and Implementation 

6.6. 1 . 1 V ehicle System Approach 

The implementation of the IVHAS across the vehicle is a long-term activity that first 
concentrates on subsystem development and then expands to increasingly complex vehicle level 
systems with continual feedback between design and maintenance activities. Research 
deliverables associated with these products include prototype sensors with associated failure 
prediction algorithms, prototype materials and coating subsystems, peer-reviewed publications of 
interim research results, guidelines and recommendations, and performance metrics. An 
overview of a timeline related to this MVS IVHAS development is shown in Figure 6.8. 


FY12 FY13 FY14 FY15 FY16 


FY17-26 


Demonstrate 

Demonstrate self- ability to diagnose Demonstrate 
healing concepts to off-nominal damage progression 
mitigate structural engine operation prediction tools for 
damage (APG) \ composite structures 



Develop concept Develop signal Demonstrate 

of operations for processing algorithms improved 

integrated vehicle to determine damage bonded repair 
health (APG) location in sensory methods 

alloys 


Demonstrate Demonstrate 

engine diagnostic Demonstrate large- damage /fault 

systems based on scale multi-level characteristics of 

expanded sensor health assessment N+2 vehicles 



Demonstration of Demonstrate 1 st generation Demonstrate probabilistic design, 

fault diagnostics smart sensor system off- assessment, and self-repair 

for aircraft nominal engine sensing methods for advanced vehicle 

systems concepts 


Figure 6.8. — Development of IVHAS over the next 15 years. 


The milestones map advances the development of technologies that enable safe aircraft 
operations between inspections over the 15 year time span. Specific benefits include: 

(1) Reduced in-flight safety risks due to engine, airframe, and avionics related faults and failures; 

(2) Individual vehicle health-state awareness supports better in-flight decisions and targeted 
ground based maintenance. The milestones delineate progress in the areas of new materials and 
coatings for assuring structural integrity for safe operations; methods for early detection of 
vehicle hazards through increased monitoring capabilities using sensors designed for extreme 
environments and increased sensor density; and integration of ground-based inspections with 
real-time in-flight health monitoring of aircraft systems. 

The MVS Technology Challenge has a pipeline approach of technology development and 
maturation. Within a given technical area, there is a mixture of both more mature and less mature 
technologies. The more mature technologies can be brought to the demonstration stage, e.g., an 
on-wing or flight demonstration, during the course of the program, perhaps early on. Other 
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technologies are less mature at the beginning of the program, but are planned to be advanced for 
demonstration at the end of the program. Finally, a smaller portion of the technology is meant as 
a foundation for the next phase of the Aviation Safety program to begin to have impact early in 
its implementation. 

The demonstration activities are meant to both advance the maturity of the technology, but also 
provide a method to begin the process of hand-off to potentially interested industry sources. In 
order to collaborate and advance technology, NASA continuously maintains and establishes new 
external partners through Space Act Agreements (SAA), NASA Research Announcements 
(NRAs), and Small Business Initiative Research (SBIR). 

Currently the Aviation Safety Program’s System-wide Safety Assurance Technologies Project is 
developing a Vehicle Integrated Prognostic Reasoner that is aimed at providing knowledge, 
concepts, and methods to proactively manage increasing complexity in the design and operation 
of vehicles and air transportation systems, including advanced approaches to enable improved 
and cost-effective verification and validation of flight-critical systems. It is also anticipated that 
MVS will leverage this development activity through collaboration with the SSAT Project. 

The work under the MVS Technical Challenge supports the research ongoing under the broader 
VSST Project. The other two VSST Technical Challenges, CDM and ASC, are focused on 
reducing human factor and loss of control related accidents, respectively. System and component 
failures are often a contributing causal factor in these types of accidents. The first line of defense 
provided by MVS is the early incipient diagnosis of impending faults, enabling corrective 
maintenance to be performed prior to the event escalating into an in-flight malfunction. 
Additionally, MVS can supply real-time on-board vehicle malfunction and health state 
information. Such information can aid in crew decision-making, and can also help to avoid or 
recover from loss of control scenarios. An example of how the MVS work relates to the research 
ongoing under the CDM and ASC Technical Challenges is given below, and is also discussed 
elsewhere in Section 6.0, and in the scenarios in Section 7.0. 

A propulsion accident category related to the CDM Technical Challenge is Propulsion System 
Malfunction Plus Inappropriate Crew Response (PSM+ICR) — an event where the pilot(s) does 
not appropriately handle a single benign engine system malfunction [194], Example PSM+ICR 
events include shutting down the wrong engine, rejected takeoff, and loss of control where a 
PSM is a contributing factor. In the event that an in-flight PSM does occur, engine health 
management technology can aid in pilot decision-making by detecting and, when appropriate, 
providing an indication of the malfunction. Recently, an FAA contracted effort with Boeing was 
performed to assess the concepts, risks, issues, technical feasibility and operational 
appropriateness of providing indications of propulsion system malfunctions to the flight crew 
[24], This study specifically considered the detection and annunciation of engine powerloss, 
surge, failed-fixed thrust, high vibration, and thrust asymmetry. NASA is developing and 
evaluating diagnostic techniques related to several of the PSM indications considered in the 
FAA-Boeing study. This includes vibration diagnostics (high vibration), detection techniques for 
identifying a mismatch between commanded and delivered engine thrust (powerloss and failed- 
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fixed thrust), and detection techniques to identify the occurrence of asymmetric thrust when 
auto-throttles are engaged (thrust asymmetry). Reliable detection while avoiding undue 
complexity will be points of emphasis in this work. Additionally, MVS will coordinate with 
CDM to assess human factor issues and operational risks associated with PSM indications. 

Under the ASC Technical Challenge, NASA is investigating integrated flight and propulsion 
control concepts to help avoid and mitigate LOC scenarios. This includes enhanced engine 
control modes such as engine overthrust and faster engine response to enable “propulsion 
assisted” flight control [195-197]. In order to extend engine operation without incurring 
unacceptable risk, the current health state of the engine must be known. This health information 
can be provided through ongoing work within the MVS High Temperature Propulsion Health 
Management element. Specifically, the self-tuning on-board engine model technology provides 
an estimate of the level of performance deterioration within each individual engine. This 
information can in turn be used to estimate available engine thrust and operability margins for 
use by the control system. MVS is coordinating with ASC to supply the propulsion health state 
information that is necessary to enable enhanced engine control modes in support of integrated 
flight and propulsion control research. 

6.6.2 Airframe Development and Implementation 

In order to move toward the long-term vision, the proposed 5 year DAASH task for VSST will 
focus on the development and integration of SHM, NDE and structural residual strength analysis 
technologies to enable a quantitative assessment of airframe structural integrity between major 
inspections. At the end of the 5 year period, this element will culminate with the coordinated 
demonstration of these technologies on a test article, showing how an integrated assessment of 
structural health could be accomplished. It is anticipated that the test article will be obtained 
through a partnership arrangement thus allowing us to leverage engineering and design of the test 
article. Potential partners include Boeing, USAF, FAA and other NASA Aeronautics programs. 

The goal of the DAASH task is to demonstrate technologies and integrated systems that can 
reduce risks in future aircraft. The emphasis will include threats to the operation of aircrafts 
composed of composite materials. Based on perceived safety threats, the highest risk threats to 
composite airframe structural integrity are: 

• Discrete source damage from ground vehicle impact, bird strikes, hail, runway debris and 
uncontained engine failure. 

o Large scale damage posing immediate threat 

o Small-scale damage that may be undetected and accumulate or grow over time/cycles 

• Other sources of small-scale damage that may grow undetected: manufacturing defects, 
local high stresses, tool drops, and inappropriate maintenance 

It is anticipated that the DAASH element will focus on panel structural health or capability, 
while the SSAT reasoner or its equivalent will manage structural subcomponent health as one of 
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many subsystems, and will assess vehicle health based upon subsystem health and interactions of 
the subsystems. This collaboration will lead to an integrated methodology for maintaining 
aircraft structural safety between major inspections. 

• Health Assessment — Assess overall health and determine if any in-flight actions need to 
be taken or provide guidance for maintenance items (includes development of a safety 
metric for qualitative contingency management) 

• Maintenance Actions — Provide additional health history data to maintenance depot 

• ASC and CDM — Health state awareness for Assure Safe Control (ASC) and Crew 
Decision-Making (CDM) Technology Challenges. 

Additional partners must be identified and secured early in the project cycle to either leverage other 
structural test programs or partner with external organizations for access to structural test specimens 
or systems engineering support for test article development and the integrated demonstration. 
Activities that will build up to the final demonstration will also require the fabrication of task 
specific composite structures, SHM and NDE components. This may require significant 
collaboration and partnership from close industry sources. During the initial year of execution, 
activities will be initiated to identify and begin procurement of the appropriate test article and 
subcomponents necessary for the technology demonstration. The demonstration will showcase the 
integrated operation of multiple activities in the program, and seeks to simulate how these 
technologies might be applied in a real aircraft experiencing a series of operational conditions. It is 
anticipated that this demonstration may take place over a period of days or even weeks. 

High-level task milestones as well as some notable lower-level activities are shown below. 
Additional sub-team or branch level milestones, approximately one per year per sub-team or 
branch, are being developed that will support the task level milestones. These milestones are 
described below and shown in Figure 6.9. 


FY12 
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FY14 

FY15 

FY16 
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Detailed definition and 
build/acquire test 
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Figure 6.9. — Air Frame Health Assurance Milestones. 
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FY12: 


• Develop concept of operations for integrated airframe vehicle health management — A 
document describing the overall approach to the MYS Technical Challenge and how the 
DAASH concept could be integrated with other subproject elements and tasks. 

• Identify test configuration and develop partnerships — In order to maximize the use of 
available resources, it is anticipated that the test article will be obtained through a 
partnership arrangement thus allowing us to leverage engineering and design of the test 
article and any associated hardware. 

FY13: 

• Identify critical damage size and NDE/SHM requirements — Conduct progressive 
damage/residual strength analysis to determine critical damage sizes for selected 
region(s) of aircraft structure and loading condition(s). Critical damage sizes determined 
will derive NDE/SHM detection requirements. Additionally, resources permitting, assess 
fidelity of analysis predictions using damage characterization from variable fidelity NDE 
methods as input. 

FY 14: 

• Down-select NDE and SHM technologies for demonstration article — Based on the 
requirements for critical damage size, a suite of NDE and SHM technologies will be 
selected that will be integrated into the final demonstration test article. 

• Demonstrate residual strength predication for damaged stiffened panel — Develop and 
demonstrate progressive damage analysis capability for predicting the residual strength of 
a damaged multi-bay stiffened bay panel subjected to compression loading. Activity will 
include pathfinder experimental investigations at the coupon and element level to identify 
fundamental damage mechanisms and their interactions for compression loading. 
Building-block test matrix will be developed for characterization of input required for 
damage models and for validation of analysis model developments. 

FY15: 

• Detailed definition and build/acquire test article — This activity will finalize the definition 
of the test article and any associated hardware necessary for the final demonstration. 

• Integrate structural analysis with damage into NDE physics models — this activity will 
facilitate a closer integration of the structural analysis with the NDE, where the results of 
damage progression models are used by NDE researchers to determine both the fidelity 
requirements for an inspection technique and the actual technique and data analysis 
methodology used. 

FY 16: 

• Demonstrate large-scale health assessment system — This final activity of the task will be 
a demonstration of how integrated assessment of structural health could be accomplished. 
This test article will validate not only the individual technologies (such as on-board 
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SHM, large area NDE and progressive damage analysis) but will demonstrate how an 
integration of these technologies will provide overall assessment of the health and 
strength of the panel. 

6.6.3 Avionics Development and Implementation 

The field of aviation electrical systems is incredibly broad, and no one resource limited project 
could adequately address the diverse set of health management issues encompassed within it. 
However, the above discussion should have made clear that most of the important issues are 
being addressed by a diverse collection of government and industry partners working together 
through a variety of funding sources. In the next section, we provide a detailed discussion of the 
novel approach and its planned implementation for the wire chafe detection work currently 
funded through the Vehicle Systems Safety Technologies project. This is however just one small 
piece of the overall picture. The Aviation Safety Program’s System-wide Safety Assurance 
Technologies project currently funds much of the research and development of applied 
algorithms for batteries, electronic components, and electromechanical actuators discussed 
above. 

In the Safety Factors section, the Electrical Wiring and Interconnect System (EWIS) was shown 
to be a historically notorious common point of failure that affects nearly all types of avionics 
equipment. Furthermore, with modem jet aircraft containing 100 to 200 miles of wire [198] the 
EWIS is a large system in great need of automated health assessment technology. The current 
SOA is limited to the detection of hard faults (i.e., opens, shorts, and arcing) in practice; but that 
only enables mitigation after a serious electrical issue occurs, rather than preventing it from 
occurring in the first place. For these reasons the VSST project is focused on developing and 
advancing methods that enable the diagnosis of precursor fault modes to identify problem areas 
well before they affect the safe operation of the aircraft. 

Chafing and connector degradation are among the most commonly occurring issues identified in 
wiring health maintenance studies, and both of them are precursors to more serious faults. Past 
efforts targeted at detecting these faults in practice focused on pairing hardware development 
with ad-hoc signal processing methods, and failed to produce systems sensitive enough to detect 
the subtle electrical signatures inherent to these fault modes. Furthermore, prior to NASA’s 
investment in this area there was almost no existing research detailing the underlying physics 
needed to understand how signals propagating through the interconnect system are affected by 
these faults, and thus how signals can be used to electronically detect faults in an optimal way. 

The funded research in VSST seeks to fill the technology gaps identified above by combining 
physics-based modeling of electrical signal propagation through chafed wires and degraded 
connectors with Bayesian probabilistic methods for estimating key faulty system parameters, 
such as fault location and size, along with a quantitative characterization of the associated 
estimation uncertainty. The maturation plan for this work is shown in Figure 6.10. 
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Technology Migration 



Figure 6.10. — Chafing and connector diagnostics maturation plan 

The completion of this research enables: (1) a complete physics based understanding of the 
chafing and connector fault detection problem that can lead to improved wiring system design 
and new alternative methods for fault detection; (2) optimal robust fault detection methods that 
can account for the effects of real-world uncertainties; and (3) a path to combining wiring 
diagnostics algorithm outputs with the integrated “whole vehicle” information system described 
in this document. Ultimately, this work will enable the development of electronically 
diagnosable wiring systems with greatly improved safety, reliability, and sustainability. 

The progress of this task will be evaluated in 1 year increments with the following development 
to a higher complexity system: 

FY11: Physics based models for chafing in aircraft wire: Develop and verify computationally 
efficient physics based models for the time/frequency domain electrical signatures caused by 
chafing in common shielded aircraft wire types. 

FY12: Optimal probabilistic fault detection algorithms: Use the Physics based models to create 
optimized robust fault detection algorithms for chafing fault detection in common aircraft wiring 
types and validate with lab measurements. 

FY13: Determine chafing fault detection trade-space: Explore ability to apply the developed 
fault detection algorithms in both an on-ground maintenance typesetting as well as an on-board 
setting involving wires carrying active communication signals. Where possible, use the validated 
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models to suggest new methods for improving wiring system design and enhancing fault 
detectability. Investigate optimal reflectometry signal profdes that can maximize the accuracy 
and minimize the uncertainty of fault parameter estimates. 

FY14: Test-tool development: The lessons learned and the algorithms developed will be 
matured for utilization in an early prototype test-tool. Such a tool will be useful for maintenance 
depot applications. Additionally, the tool development will aid in transitioning to an on-line 
application for detection and diagnosis. The tool will allow for extended validation and provide 
opportunities for further enhancement to the algorithms for improving detection and mitigating 
false positives in realistic scenarios. 

FY15: Demonstrate fault diagnostics for aircraft systems: To support the project goal of 
achieving an aircraft-level health management system, incorporate and adapt the developed 
wiring fault test beds and diagnostics software into an integrated demonstration system or test 
bed. 

6.6.4 Propulsion Development and Implementation 

6.6.4. 1 Engine Emerging Discs and Composite Materials Health 

This work concentrates on efforts to reduce the initiation of damage in high temperature engine 
components and to insure that any failures that may occur will be contained without causing 
secondary damage to the airframe. The desire to continuously increase engine efficiency has driven 
manufacturers to develop engines that operate at ever higher temperatures. Here, complex 
chemical deposits are condensed on the surfaces of rotating components resulting in corrosion of 
the surfaces that can lead to the formation of cracks. To mitigate these corrosion processes, 
advanced coatings will be developed that can withstand the higher engine operating temperatures 
while providing a corrosion barrier to the high temperature engine materials. In further attempts to 
improve aircraft efficiency, the materials used to produce engine casings have been changing for 
the last decade. The use of composite casings instead of traditional aluminum casings represents a 
significant weight savings while demonstrating excellent capability in containing ejected 
components. However, there has been very little study on the sustained performance of these new 
cases after prolonged use and degradation. To insure continued safe operation of the composite 
engine cases and to develop improved understanding to assist in the design of more damage 
resistant cases, test methods to examine how cases performed after aging are being developed. 

6.6.4.2 High Temperature Propulsion Health Management 

The implementation approach associated with Propulsion Health Assurance is continued 
advancement of sensor and algorithm technology, its integration into diagnostic approaches, and 
overall system demonstration in engine testing. The approach is to very tightly integrate Smart 
High Temperature Sensor Systems with advances in Propulsion System Diagnostics and to feed 
both directly into a continuing series of VIPR tests. 

Smart High Temperature Sensor Systems development enables improved implementation of 
reliable sensor technology in the engine through the use of smart, multiparameter sensors and 
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sensor systems capable of high temperature operation. This task will develop: (1) Multiparameter 
harsh environment engine sensor suite for comprehensive detection of compressor, turbine, and 
rotor failure precursors. (2) Harsh environment emission sensor system for overall engine heath 
evaluation and detection of failures such as oil leaks or engine fires. (3) High temperature 
wireless sensor system including sensing, electronics, telemetry and power. An example of 
development path is smart high temperature wireless with integrated electronics. In FY13, 
demonstration of core capabilities of a wireless smart sensor system in a laboratory setting will 
take place to establish the building blocks for an integrated system. In FY16, the first engine 
demonstration of a limited smart high temperature wireless data sensor system to detect engine 
faults is planned with operation at temperature of at least 500 °C. High temperature wireless is a 
building block for a new generation of high temperature smart sensor systems with improved 
ability to characterize engine health without wires (a major cause of sensor system failure). 
Demonstration of these capabilities is a paradigm shift in on-engine sensor systems enabling 
revolutionary new capabilities. 

Propulsion System Diagnostics enables improved diagnostics both onboard and for later ground- 
based evaluation. This Task will develop and mature on-board model-based aircraft engine 
estimation and diagnostic technology by: (1) Focusing on the reduction of safety-significant 
propulsion malfunctions that have contributed to past propulsion system malfunction plus 
inappropriate crew response accidents such as asymmetric thrust, rejected takeoffs, and in-flight 
engine shutdowns. (2) Real-time propulsion state assessment to reduce LOC events and to 
improve operator situational awareness. (3) Real-time engine performance assessments to 
diagnosis environmentally induced propulsion malfunctions such as volcanic ash ingestion and 
engine ice accretion. (4) Providing diagnostic benchmarking problems and metrics leading the 
engine community in standard approaches and practices. An example of this work is a real-time 
simulation facility demonstration of asymmetric thrust detection. Asymmetric thrust is a 
significant contributor to propulsion system malfunction plus inappropriate crew response 
accidents and incidents. This effort will evaluate the effectiveness of different approaches for the 
real-time detection of asymmetric thrust conditions. 

In future VIPR testing, a suite of advanced aircraft engine health management sensors and 
algorithms will be evaluated for their capability to improve aircraft engine health assessments. 
These evaluations are to be conducted through a series of on-wing ground-based engine tests on 
a high bypass turbofan engine installed on an aircraft. Engine test scenarios for VIPR Tests 
include nominal operating scenarios, non-damaging seeded fault scenarios, and damaging fault 
scenarios such as sand and volcanic ash ingestion tests. Propulsion health management 
technologies to be evaluated during this testing include microwave tip clearance sensors, 
chemical emissions sensors, oil debris/condition monitoring sensors, high frequency 
accelerometers, electrostatic debris monitoring sensors, and gas path performance diagnostic 
algorithms. Such simulated and seeded engine tests are rare and vital in validation of sensing and 
diagnostic technologies, and these tests plan to include interaction with OGA and industry. This 
task directly depends on the development of both new technologies in Propulsion System 
Diagnostics and Smart High Temperature Systems to expand the capabilities in Propulsion 
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Health Management and demonstrate new abilities to assess engine health in a range of engine 
testing conditions that directly address a range of safety issues. 

The successful completion of this testing provides new capabilities for engine monitoring; new 
inputs to engine diagnostics, including those for gas path and turbomachinery; maturation of 
sensor systems with on-engine testing; and unique correlation of sensor data with engine fault 
conditions. Results include: 

• Evaluation and demonstration of emission sensor systems to identify exhaust gas species 
and detect changes under varying engine operating and fault conditions in a relevant 
operating environment. 

• Data collection from multiparameter engine sensor systems in both simulated and real 
fault conditions to assist evaluation of model-based gas-path diagnostics methods 

• Evaluation and demonstration of rotordynamic structural health monitoring: Smart 
accelerometers and blade clearance and tip-timing sensors to monitor the rotating blade 
and vibrational properties of the engine 

The challenge in propulsion information fusion is to develop methods for combining/fusing 
disparate aircraft engine health information sources to produce an improved assessment of 
overall engine health. This includes the ability to combine diagnostic information related to 
different engine subsystems (e.g., combining gas path health and structural health information), 
which are obtained by applying different diagnostic methods (e.g., combining model-based and 
data-driven diagnostic approaches) and derived from sensor measurements acquired at different 
sample rates. The fusion of engine diagnostic information is expected to yield several 
improvements over segregated diagnostic analysis. This includes reduced diagnostic latency, the 
detection of smaller magnitude faults, and improved capability to discriminate between different 
fault types. Examples of diagnostic information fusion include, but are not limited to: 1) 
combining performance, vibration, and blade health information to diagnose foreign object 
damage, 2) combining vibration and oil debris health information to diagnoses mechanical 
component faults; and 3) combining chemical emission and performance health information to 
diagnose combustion faults. 

A summary of the Propulsion Health Milestones showing this integrated approach for technology 
development is given below and in Figure 6.11. 

FY12: Demonstrate 1st generation off-nominal engine operation sensing: Correlate 1st 
generation sensor system responses in VIPR tests to simulated engine faults at a basic 
level. These sensors include smart diagnostic accelerometer, emissions sensors, and a 
checkout of the microwave tip clearance sensor operation, and will be correlated with 
diagnostic modules to better characterize engine health state. These are unique tests that 
allow the introduction and evaluation of new technology into health management 
applications. 
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FY13: Demonstrate ability to diagnose off-nominal engine operation: C-17 engine data (both 
existing data and potential future VIPR test data) will be processed through the model- 
based diagnostic architecture. This will demonstrate the diagnostic functionality of the 
model-based gas path diagnostic architecture. This includes the architecture’s ability to: 
1) “self-tune” to match the performance of the actual engine; and 2) diagnose the 
occurrence of any inserted gas path fault conditions. 

FY14: Demonstrate engine failure detection and diagnosis with expanded sensor suite that 
includes sensors installed in core of engine: Correlate 2nd generation sensor system 
responses in VIPR tests to simulated and real engine faults. Building on the first 
generation sensor systems previously demonstrated (smart diagnostic accelerometer and 
emissions sensor systems), expand the sensor suite demonstrated on-engine to include 
candidate technologies such as the microwave tip clearance sensor, high temperature 
pressure sensor, thin film physical sensors, fiber optic temperature sensors, and limited 
high temperature electronics. 

FY15: 1) Complete sensor diagnostic functions for previously tested fault conditions: Each 
sensor is sensitive to a certain subset of faults that will have been seeded in the first 
series of engine tests. Completion of this analysis will allow for new sensing capability 
to augment the existing gas path and structural diagnostic systems. These sensor 
elements are candidates for integration into the next generation high temperature smart 
sensor systems. 2) Demonstrate engine diagnostic systems based on expanded sensor 
suite: Potential data sets include test data collected from VIPR I, II, and III testing. This 
will demonstrate the diagnostic and performance estimation functionality of the model- 
based gas path diagnostic architecture. Additionally, the improvements gained by 
incorporating additional gas path sensor measurements will be evaluated. This is a major 
step in moving toward the capability to provide in-flight capabilities to diagnose engine 
health state and prevent in-flight propulsion malfunctions. 

FY16: Develop propulsion health assessment system: Design and develop a modular, 
hierarchical, propulsion health management system to enable the fusion of diagnostic 
information produced by different propulsion diagnostic subsystems. This is the product 
integration of the sensors and diagnostics activities matured in the first 5 years of MVS, 
and includes new sensor systems and diagnostics evaluated in on-engine testing. 
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Milestone 

Activity 


FY12 FY13 FY14 FY15 


• Propulsion System 
Diagnostics 


Model-based diagnostic 
architecture for post- 
processing engine test 
data 

o 


Demonstrate off- 
nominal engine 
operation 
diagnostics 

★ 0 


Diagnostic capability 
forengine blades 

-0 


Demonstrate engine 
diagnostic systems 
based on expanded 
sensor suite 

☆ 


• Smart High-Temperature 
Sensor Systems 


Demonstrate 1 st gen 
off-nominal engine 
operation sensing 


Expand sensor suite 
based on engine 
testing/diagnostic 
linkages 


Demonstrate off- 
nominal engine 
sensing with engine 
core sensors 


Mature harsh 
environment 
sensor suite 


☆ 0+0 


• Vehicle Integrated 

Propulsion Research (VIPR) 


VIPR 1 


VIPR 2 


VIPR 3 


★ ★ ★ 


• Materials and Coatings 


Demonstrate 
environmental coatings 

☆ 


Composite test and 
analysis methods 

★ 


Demonstrate TRL 
advancement for 
advanced coating 




Figure 6.11. — Propulsion Health Assurance milestones and activities. 


FY16 


Develop full-field 
propulsion health 
assessment system 


0 


Demonstrate smart 
wireless off-nominal 
engine sensing 

☆ 


VIPR4G 

☆ 


Demonstrate final life 
prediction algorithm 

☆ 
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7.0 Possible System Benefits 

The IVHAS concept presented in this document holds multiple benefits. First and foremost, the 
intended benefit of IVHAS is improved aviation safety. However, it is readily acknowledged that 
without associated economic benefits it is difficult to field new technology. Therefore, in 
addition to safety benefits IVHAS must also provide an economic benefit that enables the 
technology to “buy its way” into implementation. Expected economic benefits include: reduced 
in-flight malfunctions, reduced unplanned maintenance, reduced unscheduled part replacements, 
and reduced maintenance related delays and cancellations. For example, a fundamental change in 
maintenance approaches from maintenance on schedule to condition-based maintenance may 
have a notable economic impact. Further, many of the resultant IVHAS benefits come from 
taking a system-level approach to assuring vehicle health. This includes design enhancements to 
prevent or mitigate system failures, advanced sensing techniques to measure new 
parameters/locations, automated monitoring and analysis (both on-board and off-board), 
enhanced manual inspection techniques, and the sharing and integration of information amongst 
subsystems. 

Initially, much of the VS ST MVS work will focus on subsystem technology development and 
maturation. This includes developing improved materials and coatings, algorithms, sensors, and 
inspection techniques. The focus will be on the health assurance challenges presented by 
emerging designs, harsh operating environments, difficult to inspect locations, and the need to 
leverage all available information sources (both on-board and off-board). Individually, 
advancements in any one of these areas could be critical in breaking the chain of events leading 
to an aviation accident. Collectively, these technology advancements enable safer and more 
efficient aircraft operation and sustainment. Moving forward, the integration of these 
technologies holds further benefits. Understanding the health assurance challenges presented by 
emerging materials and designs enables the appropriate monitoring, inspection, and fault 
mitigating strategies for these technologies to be developed. Also, the interaction and sharing of 
information between subsystems provides improved vehicle health assurance capabilities. The 
techniques to share and analyze vehicle health information between vehicle information systems 
(both on-board and ground-based), fleet-wide databases, ground maintenance personnel, 
overhaul facilities, and fleet managers enables the efficient and effective management of system 
health, maintenance actions, and cost. For example, on-board health monitoring functionality is 
designed to identify system anomalies in-flight, which can be autonomously communicated to 
ground maintenance personnel and used to optimally schedule the maintenance/inspection 
actions necessary to safely return the vehicle to service with minimal impact to flight operations. 
Additionally, maintainers are provided access to a fleet-wide central database of vehicle 
operating history and health information that assists them with fleet logistic decisions, including 
the capability to quickly identify and address maintenance/inspection related needs. The 
judicious sharing of select vehicle health state information to support crew decision making and 
mitigate/avoid loss of control scenarios can further help to enhance aviation safety. 
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Integrated Vehicle Health Assurance benefits include on a broad level: 

Overall vehicle health assessment. Vehicle state information during standard 
conditions and adverse events to assess individual and combined health of vehicle 
subsystems 

• Subsystem methods/information for prediction of future health/extend life 

Subsystem health assessment addresses Vehicle Health Assurance but also Loss of 
Control and Effective Crew-System Interactions. 

For example, processing of the data from a particular sensor reveals the need for a 
maintenance action, which can then be autonomously coordinated in advance with a 
maintenance facility and optimally scheduled to minimize impact to operations. 

Maintainers interface with central database through custom applications that help them 
quickly locate and fix problems according to a preset schedule. 

Fleet managers can monitor overall system health, maintenance actions, and cost. 


The vision for an Integrated Vehicle Health Assurance System is to provide an integration of 
design and materials, onboard monitoring, and ground-based maintenance functionality to assure 
overall vehicle health. This includes providing vehicle health state information for use in loss of 
control, crew system interfaces, and maintaining vehicle safety between inspections. In other 
words: 

• Advanced materials and coatings prevent unsafe damage growth between inspections in 
areas difficult to inspect 

• Enhanced inspection methods increase ability to detect damage and faults during 
inspections 

• On-board detection identifies damage or post-inspection faults, provides information on 
the fault, and provides alerts that corrective maintenance is required. 

To illustrate the application of our approach, two examples are given below. These examples are 
chosen to highlight the concept that changes in the vehicle health state can occur after a major 
inspection. One of the most straightforward ways to do this is to examine damages that occur to a 
vehicle while in-flight. Thus, examples related to environmental hazards are discussed. While 
aspects of environmental hazards are addressed elsewhere in the Aviation Safety Program, 
response to these environmental hazards on the vehicle level is a major responsibility of the 
MVS Technical Challenge. A vision of the MVS Technical Challenge response is given below. 
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7.1 Vehicle Damage Due to Lightning Strikes 

7.1.1 Scenario 

After a major inspection, the vehicle is struck by lightning while in-flight. The vehicle itself has 
significant composite components that are more susceptible to damage than traditional metallic 
systems. It is assumed that the lightning strike can be detected, but the extent of the damage due 
to this lightning strike is u nkn own to the crew. The following describes how an IVHAS can 
prevent the crew from improperly responding to this event, and how to keep such an event from 
becoming hazardous in the first place. 

7.1.2 IVHAS Response 

Preparing for such an incident should not begin after it happens. Rather, it is generally known 
that composite materials have different aging properties and response to damage. Making these 
materials resistant to in-flight damage by design is the first step towards ensuring continued 
flight safety. IVHAS will not only study the properties of composite materials related to response 
to damage, but also provide for a limited amount of self-healing. 

If the lightning strike is major and causes notable damage to the aircraft, a number of systems 
may be affected depending upon where the lightning strike takes place. The composite structure 
could be damaged with significant consequences especially near the fuel tank. The engine could 
be damaged either causing structural damage to the engine itself, or causing failures of the one or 
more engine subsystems. Finally, the electrical system could be damaged either exposing wires 
or disconnecting wires altogether leaving some control functions inoperable. 

IVHAS in the form of DAASH provides structural health monitoring integrated across the 
vehicle structure. Detection and identification of the structural damage location and magnitude is 
the first step towards an understanding of what has happened to the vehicle. Verification and 
identification of any engine damage would be another step towards confirming continued flight 
safety. Isolation of wiring faults and any discontinuity in avionics functions both corroborates the 
identification of the lightning strike location, but also provides information on any resulting lack 
of system functionality important to recovering enough control of the vehicle to execute a safe 
emergency landing if necessary. 

The IVHAS approach minimizes overall burden to the vehicle by locally processing this 
information to determine the state for each subsystem. The assessment for each subsystem is 
based upon the “fingerprint” of the vehicle. That is, an understanding of whether damage has 
occurred needs to be based on such factors as the current baseline and history for the relevant 
individual vehicle subsystems. For example, it’s important to account for affected components 
near the end of their maintenance life spans, or with histories of borderline functionality. 

The information from these three subsystems is then fed into a Vehicle Level Reasoner (VLR). 
This Vehicle Level Reasoner is the arbitrator in assessing the vehicle health state given the 
various inputs. Since local processing is done within the subsystems, only higher-level 
information is fed to the VLR on a standard basis. If a fault is identified, then the VLR can query 
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the individual subsystems for more detailed information to determine the overall vehicle health 
state. The VLR consolidates this information to determine the health state of the system in-flight. 

A fundamental point associated with the VLR is that it does not provide information directly to 
the crew. If the damage is considered imminently hazardous, then the information is fed through 
proper CDM and/or ASC methods to determine the proper response and presentation to the crew 
when necessary. In parallel, condensed information can be transmitted to the ground to provide 
alert of the hazard enabling the maintenance facilities, or emergency response teams to 
immediately address the problem on landing. 

If the lightning strike is minor and causes minimal damage to the aircraft during this particular 
flight, it does not mean that this damage will not pose a safety hazard in future flights. For 
example, the lightning may produce a small crack within the composite structure that could grow 
over time into more significant damage that affects vehicle operation. The lightning strike may 
damage the structure of the engine causing an oil leak that compromises future engine 
performance or affects the quality of bleed air provided to the air cabin environment. Finally, the 
lightning strike could affect the avionic system causing localized heating to a wire, which upon 
further chafing could result in an avionics malfunction or even a fire. 

Although the level of damage may not be enough to immediately affect the safety of the vehicle, 
it probably will be a cause for maintenance action. The VLR and each subsystem can locally 
process and record the incident and the change in fingerprint of the vehicle. Upon landing, a 
hierarchy of messaging can be provided to the ground maintenance crew. This set of messaging 
can include notification that a lightning event has occurred, or simply be notification that the 
lifetime of an individual part is nearing its limit due to off nominal conditions that have occurred 
during the vehicle’s operation. 

In this example, the IVHAS can record that indeed a lightning strike has taken place and provide 
information related to its likely location. Enhanced inspection techniques related to composite 
materials can then examine the relevant parts of the structure. These enhanced inspection 
techniques will be able to identify flaws, which may have been either insignificant or nonexistent 
for metallic structures, but could be the source of long-term degradation for composite structures. 
The detected presence of an oil leak or other engine malfunction can allow grounds crews to 
isolate those components for further evaluation. If the electrical system were damaged, 
maintenance crews would know where to follow up with an inspection and make the needed 
repairs. 

Thus, in order to Maintain Vehicle Safety between inspections in this particular example of a 
lightning strike, it is not just a single subsystem that provides relevant information. Nor is it only 
in-flight data that is used to assure vehicle health. It is the combination of materials, in-flight 
monitoring, and enhanced inspection techniques and vehicle prior history that provides a 
framework for long-term vehicle safety. 


NAS A/TM— 20 13-217825 


94 



7.2 Vehicle Damage Due to Volcanic Ash 

7.2.1 Scenario 

In contrast to the lightning strike example, the potential hazard due to volcanic ash may not be 
easily identifiable by the crew. Volcanic ash is often transparent to the crew and its presence may 
not be predicted beforehand by air traffic control. Presently, there may be little indication that the 
vehicle is affected by volcanic ash until significant system damage occurs. For example, engine 
damage due to volcanic ash ingestion may occur within minutes. Indications of impingement of 
particulates upon the airframe may be noticed, but without correlation to other indicators may be 
misinterpreted. The following describes how the technologies being developed in IVHAS can 
impact this safety hazard. 

7.2.2 IVHAS Response 

Damage caused by a series of small particulate strikes may in fact be more significant for 
composite materials than present metallic structures. Small indentations in composite structures 
have different growth properties than what might be seen in metallic structure, and can 
potentially grow into more serious damage conditions. Thus, damage tolerant material designs 
are critical to maintaining safe operation. Further, self-healing composite materials may 
eliminate the need for repairs associated with minor damage and even prevent long-term safety 
issues from occurring later in the vehicles life. 

As in the previous example, IVHAS in the form of DAASH provides structural health 
monitoring integrated across the vehicle structure. Detection of the structural damage location 
and magnitude is an indicator that the aircraft is experiencing conditions beyond standard 
operation. While diagnostics and prognostics of changes in the aircraft structure is processed 
locally, summary information related to changes in the airframe fingerprint can be provided to 
the VLR. 

Engine damage associated with volcanic ash is presently not fully understood. The activities in 
IVHAS are aimed at significantly improving the understanding of the effects of volcanic ash on 
engine systems through the series of VIPR tests discussed above. These activities will also 
provide new sensor systems to better characterize the overall engine state. For example, if 
conducted as planned, exposure to volcanic ash over a period of time will be correlated to both 
existing and new sensor measurements. After the testing has driven the engine to failure, post 
failure diagnostics will look at the causes of engine failure. This information can be fed into 
improved engine sensor systems, but also be valuable towards the development of relevant 
engine diagnostic systems. 

Onboard engine sensors and diagnostics are critical to being able to detect a hazardous event 
such as damage caused by volcanic ash. New engine sensor systems are tools that if implemented 
can provide new information on changes in engine temperature profile, tip clearance to monitor 
depositions on blades, improved accelerometers to detect the onset of changes in vibration 
conditions, and bleed air and emission sensor systems to monitor changes in the other aspects of 
engine operation. Onboard engine diagnostics is fundamental to correlating these various inputs 
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into an assessment of changes in engine state and potential hazardous conditions. This engine 
diagnostics approach, which takes into account the particular fingerprint of the engine while on 
board, is a core feature to providing alerts regarding changing engine conditions in a real-time 
basis. 

The information from the airframe and propulsion subsystem can be then be fed into the VLR for 
a more integrated understanding of the vehicle health state. Correlation between the airframe and 
propulsion subsystem information can provide an indication related to the source of the problem. 
If for example, an engine failure begins to occur and limited airframe impact is noted, then such 
a condition may indicate the presence of volcanic ash. In contrast, if a more significant impact is 
noted in correlation to changes in engine operation, other factors may be occurring, such as a 
bird strike. 

The role of the VLR in this case is again to provide information to other aircraft and ground 
systems. If the damage is considered imminently hazardous, then this information can be fed to 
the CDM and ASC methods for proper response or presentation to the crew. In the case of 
volcanic ash, a priority system may need to be established to highlight high levels of hazard. 
Regardless, this information is not directly provided to the crew. However, indications that an 
aircraft is being exposed to volcanic ash is of high interest to ground personnel. Such indications 
correlated across multiple aircraft can provide air traffic managers with an alert that volcanic ash 
may be present in the region assisting in fleet-wide safety. 

IVHAS that can indicate that an aircraft has potentially been exposed to volcanic ash can enable 
ground personnel to provide appropriate maintenance actions. In fact, given the data produced by 
the VIPR series of tests, ground personnel will have an improved understanding of what 
specialized inspections may be necessary for systems exposed to volcanic ash. Enhanced 
inspection techniques related to composite materials can identify flaws, which may have been 
either insignificant or nonexistent for metallic structures, but could be the source of long-term 
degradation for composite structures. 

Thus, in order to Maintain Vehicle Safety between inspections in the case of volcanic ash 
exposure while in-flight, correlation of information from at least two subsystems can provide an 
indication of the potential hazardous condition. The crew may not be aware of such a volcanic 
ash exposure, and thus not be able to notify ground maintenance. This is an example where in- 
flight data from multiple subsystems generates relevant maintenance actions related to what the 
aircraft has experienced in-flight, as opposed to being determined by a preset schedule. As in the 
previous example, it is the combination of materials, in-flight monitoring, and enhanced 
inspection techniques and vehicle prior history that provides a framework for long-term vehicle 
safety. 

7.3 Maintenance Issues Leading to a Sequence of Events 
7.3.1 Scenario 

A series of maintenance issues, combined with an unexpected atmospheric disturbance, leads to 
a single system failure that cascades to affect multiple subsystems endangering the safety of the 
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overall vehicle. This scenario includes actions by the pilot that further complicate the ability to 
maintain vehicle safety. The vehicle itself has a mixture of metallic and composite components. 
The following describes how an IVHAS system can help prevent the scenario from escalating 
into an in-flight failure, and in the event that an in-flight failure does occur, assist the crew and 
control system in responding to the event. 

7.3.2 IVHAS Response 

This scenario concentrates on maintenance and design issues that then lead to a single system 
failure that cascades to affect multiple subsystems endangering the safety of the overall vehicle. 
This scenario contains examples of multiple maintenance issues that combined with atmospheric 
conditions and crew response lead to a hazardous condition. While the probability of all these 
issues occurring at the same time as low, any one of these can cause an accident or incident. 

This safety hazard begins with known faulty accelerometer that was not replaced in the inertial 
reference unit. During an atmospheric disturbance, a second accelerometer in the inertial 
reference unit also fails leading to the aircraft flight computer to cause the aircraft to pitch up 
based on faulty information. The pilot attempts to respond to the misunderstanding of the flight 
situation with aggressive use of control surfaces leading to structural failure. The structural 
failure is in part due to excessive fatigue of the flight control surfaces as well as their operation 
beyond standard operating conditions. This includes damage in composite materials not detected 
during inspection. The following discusses each of these steps that led to the hazardous 
condition, and then describes a possible response of IVHAS even if this series of events occurs. 

A major component of IVHAS is the concept that a “fingerprint” of the vehicle is available 
throughout its operation. In order for such a fingerprint to be valid, storing and processing of 
information is necessary. This data processing and analysis will be performed not just in a central 
location, but at various levels throughout the vehicle system and ground support operations. 
Maintenance actions performed on the vehicle should be included as part of the vehicle 
fingerprint. Such maintenance history can include the identification of parts that have been 
replaced due for maintenance, or have typically been considered in proper operating condition. 
Such a fingerprint should certainly include record of a part identified as faulty. Such data can be 
recorded, especially simple flagged data, as part of information carried with the vehicle and 
updated while on the ground. If a specific set of maintenance data is not included as part of the 
vehicle fingerprint, targeted data sets can be transmitted to the vehicle if the situation warrants it. 

However, there is a limit to the amount of data that can either be transmitted or stored. The 
IVHAS is based on a hierarchal approach where intelligence is distributed throughout the vehicle 
down to the level of smart sensor systems and components. A smart sensor will determine its 
own health and flag that information as a standard part of the data stream. A local node can take 
this into account when comparing various sensors, for example, three accelerometers, in a voting 
scheme. In the case of the known faulty accelerometer that was not replaced, the approach is that 
the accelerometer itself should evaluate its health and identify its data as suspect. MVS is in fact 
developing such a smart accelerometer. Thus, the implementation of a distributed intelligence 
approach can contribute in not only identifying that the first accelerometer is faulty, but also that 
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the second accelerometer has also failed. The information then provided from the local node 
does not need to include all of the information from both accelerometers. Rather, the local node 
simply reports two failed accelerometers, and the information from the remaining operational 
sensor. 

If inaccurate information is supplied to inertial reference unit, the overall health state of the 
vehicle can be understood by monitoring and correlating sensed information throughout the 
vehicle. For example, measurement of the strain on the airframe can provide independent 
information on the flight environment of the vehicle. The initial atmospheric disturbance would 
be expected to have an effect on the airframe, which would subside as the disturbance passes. 
Thereafter, the strain on the vehicle produced by external factors would then be associated with 
the flight conditions present after the disturbance. Effectively, being hit with air turbulence 
would be something that could be determined with a structural health monitoring system, and 
provide information both on the duration and the extent of the turbulence. 

If the pilot is unaware of the actual situation and begins to attempt to establish control through 
aggressive use of the flight control surfaces, then the aircraft may be operated beyond standard 
limits. In this scenario, fatigue has occurred associated with a flight control surface at a much 
faster rate than normal. In this case as well, distributed intelligence can have a significant role to 
play in maintaining vehicle safety. If the system can perform self diagnostics, then a history of 
this flight control surface loading and dynamics can be maintained. If it is determined that a 
failure is imminent, then the subsystem can also provide information to a local node for 
processing. If aggressive flight control maneuvers taken by the pilot subject the vehicle’s flight 
control surfaces to unsafe levels of loading and fatigue, then the airframe structural health 
monitoring system can give warning of excessive use of the control surfaces before failure 
occurs. 

The integration of advanced design and an understanding of the material properties are crucial in 
both understanding the status of the vehicle and remaining life in structures that are operating 
beyond their design limits. These faults may occur at different rates for different material 
components. Although there is a significant history related to metallic systems, the information 
available related to composite materials significantly less comprehensive. In this scenario, 
improved inspection techniques found structural faults that previously would have been 
undetected. Monitoring systems onboard the aircraft can identify regions in particular where 
more extensive inspection is necessary, and identify areas whether excessive wear has occurred. 
This inspection information, combined with onboard detection systems, becomes part of the 
fingerprint of the vehicle to be used both to maintain vehicle operational condition but also in 
cases if unforeseen factors have caused structural damage. 

The failure of flight control surfaces on an airframe can be catastrophic. If such failure occurs, it 
is first important to understand what has failed. If structural failure is beginning to occur, this can 
affect other parts of the vehicle. In principle, a cascade effect can result affecting the airframe 
and propulsion subsystems, or even disrupt the avionic subsystem. The combination of the health 
and status information related to the airframe and avionics subsystems can be used to determine 
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the status of the overall vehicle. A Vehicle Level Diagnostics System can be used to correlate the 
information between the various subsystems providing an overall assessment of the vehicles 
health. Even an incomplete snapshot the vehicle health can be critical; understanding, for 
example, if a rudder has broken off or is still in place but inoperable is a notable component in 
understanding what has happened to the vehicle. This information can then be provided to both 
CDM and ASC to determine potential courses of action. 

Past NASA studies have shown, that in the event of some flight control system failures it is 
possible to use the aircraft engines to avert or recover from the scenario [199,200]. Such 
approaches are presently being pursued in ACS. However, such mitigation strategies may require 
operation of the engine systems significantly outside of standard operating envelope. As noted 
elsewhere in this scenario, operation outside of standard conditions can be problematic if this 
then causes further system failure. It is then important to understand engine health in an ongoing 
basis if they are to be used also as a control effector for the vehicle. A focus of the IVHAS 
activities is to develop and demonstrate harsh environment smart sensor systems combined with 
propulsion system diagnostics and performance monitoring. These harsh environment smart 
sensor systems not only provide measurements previously unavailable, but also, as noted above, 
are able to identify their own health status. The propulsion system diagnostics combined with the 
sensor systems for real-time propulsion state assessment can improve operator situational 
awareness and provide an ability to determine remaining life and operability limits of the 
engines. In particular, this remaining life is foundational to approaches that involve the use of 
engines as the primary method of vehicle control. 

Thus, in order to Maintain Vehicle Safety in this scenario, it is important to keep the chain of 
events from occurring that lead to a hazardous condition. This begins with improved 
maintenance techniques and data handling that identifies sensor, component, or subsystem faults 
before they can lead to a serious condition. This is not isolated in one part of the vehicle, but 
system faults in one part of the vehicle can cascade towards a vehicle level affect. A fingerprint 
of the vehicle combined with distributed intelligence throughout the system can both prevent 
hazardous conditions from occurring and allow a better understanding of the vehicle status if a 
fault has occurred. This information can be provided to ASC and CDM to allow more 
appropriate response to the situation. It is the combination of materials, enhanced inspection 
techniques, in-flight monitoring, vehicle prior history, and now combined with control systems 
and crew interfaces that provides a framework for long-term vehicle safety. 

8.0 Longer Term IVHAS Vision 

A longer term vision for Vehicle Health Assurance is shown in Figure 8.1. It is an expansion of 
the Concept of MVS Integrated Vehicle Health Assurance shown in Figure 6.4 that is advanced 
by concepts and developments discussed in Sections 6.5 and 6.6. However, the long-term 
concept of Figure 8.1 goes beyond what is needed for the MVS IVHAS approach to even more 
integrated intelligence into a vehicle. This long-term vision can be described as bringing together 
an ability for Robust Design, Maintaining and Sustaining the vehicle systems, and Vehicle 
Health Assessment. 
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Figure 8.1. — A long-term vision for Vehicle Health Assurance. 


Robust Design within the next several years will concentrate on damage prevention and 
containment. However, as materials models improve, designs based on probabilistic design 
approaches can be envisioned that involve a high level of prognostic capability to reduce the 
design margin now typically used for safety purposes, and thus optimize system configuration 
for a better understanding of what is actually needed for a flight system. The ideal realization of 
robust design is an adaptive design that is self-configurable, i.e., able to modify its configuration 
to changes in both external hazards and damage, as well as component failures, at least until the 
aircraft is safely on the ground. 

The capability to Maintain and Sustain the vehicle first moves beyond the approach of 
maintenance by schedule presently used to one based on the condition of the component, 
subsystem, or vehicle. The first step beyond external condition based maintenance is a system 
that is internally self-repairing. A simple version of this approach is now being addressed with 
basic self-healing materials but advances the approach towards self-repairing systems that 
address vehicle faults autonomously. A long-term goal is an adaptive vehicle that is in a 
continuous process of healing and modifying its configuration for safety and performance 
optimization. 

Health Assessment in the nearer future will concentrate on component and subsystem health 
monitoring and more advanced methods of inspection. The coupling of both on-board sensors 
with off-board inspection systems to complement each other providing for more complete 
monitoring is part of improved vehicle awareness in the next several years. These hardware 
approaches must be coupled with software approaches for diagnostic and prognostic evaluation 
of the component and subsystem, moving towards an overall vehicle health assessment approach. 
Ideally, this complete vehicle health assessment system also includes the ability to predict the 
remaining life of components, subsystems, and finally the overall vehicle. 
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A long-term vision of Vehicle Health Assurance combines all three capabilities; the adaptable 
design approach needed to have a proper understanding of the vehicle health state and life, with a 
capability to self-configure and adjust. The overall approach is for an intelligent and 
autonomously safe vehicle that is self-monitoring, self-correcting and repairing, and self- 
modifying [158]. One approach towards this vision is to build the intelligent system bottom-up 
from smart components. These smart components are independently self-monitoring, self- 
correcting, and self-modifying. Smart components monitor and adapt their individual status to 
the mission objectives and local conditions. Information is communicated to local nodes and the 
collection of these smart nodes encompasses the overall vehicle level operation. Overall, the 
approach is self-aware components yielding a self-aware vehicle system. 

It should be emphasized that this vision is meant as a guide for long term development and not 
part of MVS in the next 5 years. Parts of this work may be addressed over time by other NASA 
programs and projects such as Fundamental Aeronautics, Aeronautical Sciences, as well as in the 
Aviation Safety program and by OGAs. While the foundation for such a vision is being laid in 
the MVS Technical Challenge, the objectives of the MVS Technical Challenge is targeted 
towards impact in the next 5 years as described elsewhere in this document. Nonetheless, the 
vision of a system that, like a biological system, can know its environment, process information, 
communicate, and adapt, i.e., a system that can evaluate and fix it itself, while being able to get 
external help as needed (go to the doctor) can be suggested as a goal in long-term safety 
advancements. 
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Appendix A. — Acronyms 


ACARS 

ADEPT 

AEPHM 

AEST 

AFRL 

AIL 

ASC 

ASIC 

ARMD 

BITE 

BVID 

CAA 

CAST/ICAO 


Aircraft Communications Addressing and Reporting System 
All-Domain Execution and Planning Technology 
Aircraft Electrical Power Systems Prognostics and Health Management 
Atmospheric Environment Safety Technologies 
Air Force Research Lab 
Aircraft-In-the-Loop 

Assure Safe and Effective Aircraft Control under Hazardous Conditions 

Application Specific Integrated Circuit 

Aeronautics Research Mission Directorate 

Built-in Test Equipment 

Barely Visible Impact Damage 

Civil Aviation Authority 

Commercial Aircraft Safety Team/Intemational Civil Aviation 
Organization 


CDM 

C-MAPSS 

C-MAPSS40k 

ConOps 

DAASH 

AEST 

EHM 

EHA 

EMA 

EMS 

EWIS 

FAA 

FADEC 

FAR 

FDAMS 

DFADU 

FDR 

FOD 

FY 

GPHM 

ICR 

HIL 

HPC 


Improve Crew Decision-Making and Response in Complex Situations 
Commercial Modular Aero-Propulsion System Simulation 
Commercial Modular Aero-Propulsion System Simulation, 40,000 lb 
Concept of Operations 

Dynamic Assessment of Aircraft Structural Health 

Atmospheric Environment Safety Technologies 

Engine Health Management 

Electrohydraulic Actuators 

Electromechanical Actuators 

Engine Monitoring System 

Electrical Wiring and Interconnect System 

Federal Aviation Administration 

Full- Authority Digital Engine Control 

Federal Aviation Regulations (FAR) 

Flight Data Acquisition Management System 
Digital Flight Data Acquisition Unit 
Frequency Domain Reflectometry 
Foreign Object Debris 
Fiscal Year 

Gas Path Health Management 
Inappropriate Crew Response 
Hardware-In-the-Loop 
High Pressure Compressor 
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HCF 

High Cycle Fatigue 

HPT 

High Pressure Turbine 

HUMS 

Health and Usage Monitoring Systems 

IFSD 

In-Flight Engine Shutdown 

IVHAS 

Integrated Vehicle Health Assurance System 

IVHM 

Integrated Vehicle Health Management 

JPDO 

Joint Planning and Development Office 

LEHV 

Low Energy High Voltage 

LOC 

Loss of Control 

LRU 

Line Replaceable Unit 

MOSFET 

Metal Oxide Field Effect Transistor 

MVS 

Maintaining Vehicle Safety 

NDE 

Non-Destructive Evaluation 

NDI 

Non-Destructive Inspection 

NASA 

National Aeronautics and Space Administration 

NASSP 

National Aviation Safety Strategic Plan 

NAVAIR 

Naval Air Systems Command 

NextGen 

Next Generation Air Transportation System 

NTSB 

National Transportation Safety Board 

OGA 

Other Government Agencies 

OEM 

Original Equipment Manufacturer 

PASD 

Pulse Arrested Static Discharge 

PSM 

Propulsion System Malfunction 

SHM 

Structural Health Monitoring 

SBIR 

Small Business Innovative Research 

SOA 

State-Of-The-Art 

SSTDR 

Spread- Spectrum Time Domain Reflectometry 

TC 

Technical Challenge Problem 

TDR 

Time Domain Reflectometry 

UAV 

Unmanned Aerial Vehicles 

UER 

Unscheduled Engine Removal 

USAF 

United States Air Force 

VSST 

Vehicle Systems Safety Technologies 
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